don't autohide on first launch

.gitignore

@@ -5,3 +5,4 @@ src-tauri/target/
 
 # just in case
 credentials*
+!credentials.rs

doc/cryptography.md

@@ -0,0 +1,9 @@
+My original plan was to use [libsodium](https://doc.libsodium.org/) to handle encryption. However, the Rust bindings for libsodium are no longer actively maintained, which left me uncomfortable with using it. Instead, I switched to the [RustCrypto](https://github.com/RustCrypto) implementations of the same (or nearly the same) cryptographic primitives provided by libsodium.
+
+Creddy makes use of two cryptographic primitives: A key-derivation function, which is currently `argon2id`, and a symmetric encryption algorithm, currently `XChaCha20Poly1305`. 
+* I chose `argon2id` because it's what libsodium uses, and because its difficulty parameters admit of very granular tuning.
+* I chose `XChaCha20Poly1305` because it's _almost_ what libsodium uses - libsodium uses `XSalsa20Poly1305`, and it's my undersatnding that `XChaCha20Poly1305` is an evolution of the former. In both cases I use the eXtended variants, which make use of longer (24-byte) nonces than the non-X variants. This appealed to me because I wanted to be able to randomly generate a nonce every time I needed one, and I have seen [recommendations](https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html) that the 12-byte nonces used by the non-X variants are _juuust_ a touch small for that to be truly worry-free. The RustCrypto implementation of `XChaCha20Poly1305` has also been subject to a security audit, which is nice.
+
+I tuned the `argon2id` parameters so that key-derivation would take ~800ms on my Ryzen 1600X. This is probably overkill, but I don't intend for key-derivation to be a frequent occurrence - no more than once a day, under normal circumstances. Taking in the neighborhood of 1 second seemed about the longest I could reasonably go.
+
+**DISCLAIMER**: I am not a professional cryptographer, merely an interested amateur. While I've tried to be as careful as possible with selecting and making use of the cryptographic building blocks I've chosen here, there is always the possibility that I've screwed something up. If anyone would like to sponsor an _actual_ security review of Creddy by people who _actually_ know what they're doing instead of just what they've read on the internet, please let me know.

index.html

@@ -1,25 +1,13 @@
 <!DOCTYPE html>
-<html lang="en">
+<html lang="en" data-theme="dark">
   <head>
     <meta charset="UTF-8" />
     <link rel="icon" type="image/svg+xml" href="/vite.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Vite + Svelte</title>
 
-    <style>
-      body {
-        margin:  0;
-        display:  grid;
-        align-items: center;
-        justify-items: center;
-        min-width:  100vw;
-        min-height:  100vh;
-      }
-    </style>
-
   </head>
-  <body class="bg-zinc-800">
-    <div id="app"></div>
+  <body id="app" class="m-0">
     <script type="module" src="/src/main.js"></script>
   </body>
 </html>

package.json

@@ -1,6 +1,6 @@
 {
   "name": "creddy",
-  "version": "0.1.0",
+  "version": "0.2.3",
   "scripts": {
     "dev": "vite",
     "build": "vite build",
@@ -17,6 +17,7 @@
     "vite": "^3.0.7"
   },
   "dependencies": {
-    "@tauri-apps/api": "^1.0.2"
+    "@tauri-apps/api": "^1.0.2",
+    "daisyui": "^2.51.5"
   }
 }

src-tauri/.cargo/config.toml

@@ -0,0 +1,7 @@
+[target.x86_64-unknown-linux-gnu]
+linker = "clang"
+rustflags = ["-C", "link-arg=--ld-path=/usr/bin/mold"]
+
+[target.x86_64-pc-windows-msvc]
+rustflags = ["-C", "link-arg=-fuse-ld=lld"]
+

src-tauri/.env

@@ -0,0 +1 @@
+DATABASE_URL=sqlite://C:/Users/Joe/AppData/Roaming/creddy/creddy.dev.db

src-tauri/Cargo.toml

@@ -1,14 +1,22 @@
 [package]
-name = "app"
-version = "0.1.0"
-description = "A Tauri App"
-authors = ["you"]
+name = "creddy"
+version = "0.2.3"
+description = "A friendly AWS credentials manager"
+authors = ["Joseph Montanaro"]
 license = ""
 repository = ""
-default-run = "app"
+default-run = "creddy"
 edition = "2021"
 rust-version = "1.57"
 
+[[bin]]
+name = "creddy_cli"
+path = "src/bin/creddy_cli.rs"
+
+[[bin]]
+name = "creddy"
+path = "src/main.rs"
+
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [build-dependencies]
@@ -17,17 +25,35 @@ tauri-build = { version = "1.0.4", features = [] }
 [dependencies]
 serde_json = "1.0"
 serde = { version = "1.0", features = ["derive"] }
-tauri = { version = "1.0.5", features = ["api-all"] }
+tauri = { version = "1.2", features = ["dialog", "os-all", "system-tray"] }
+tauri-plugin-single-instance = { git = "https://github.com/tauri-apps/plugins-workspace", branch = "dev" }
 sodiumoxide = "0.2.7"
 tokio = { version = ">=1.19", features = ["full"] }
 sqlx = { version = "0.6.2", features = ["sqlite", "runtime-tokio-rustls"] }
 netstat2 = "0.9.1"
 sysinfo = "0.26.8"
+aws-types = "0.52.0"
+aws-sdk-sts = "0.22.0"
+aws-smithy-types = "0.52.0"
+aws-config = "0.52.0"
+thiserror = "1.0.38"
+once_cell = "1.16.0"
+strum = "0.24"
+strum_macros = "0.24"
+auto-launch = "0.4.0"
+dirs = "5.0"
+clap = { version = "3.2.23", features = ["derive"] }
+is-terminal = "0.4.7"
+argon2 = { version = "0.5.0", features = ["std"] }
+chacha20poly1305 = { version = "0.10.1", features = ["std"] }
 
 [features]
 # by default Tauri runs in production mode
 # when `tauri dev` runs it is executed with `cargo run --no-default-features` if `devPath` is an URL
-default = [ "custom-protocol" ]
+default = ["custom-protocol"]
 # this feature is used used for production builds where `devPath` points to the filesystem
 # DO NOT remove this
-custom-protocol = [ "tauri/custom-protocol" ]
+custom-protocol = ["tauri/custom-protocol"]
+
+# [profile.dev.build-override]
+# opt-level = 3

src-tauri/conf/cli.wxs

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
+    <Fragment>
+
+        <DirectoryRef Id="INSTALLDIR">
+            <!-- Create a subdirectory for the console binary so that we can add it to PATH -->
+            <Directory Id="BinDir" Name="bin">
+                <Component Id="CliBinary" Guid="b6358c8e-504f-41fd-b14b-38af821dcd04">
+                    <!-- Same name as the main executable, so that it can be invoked as just "creddy" -->
+                    <File Id="Bin_Cli" Source="..\..\creddy_cli.exe" Name="creddy.exe" KeyPath="yes"/>
+                </Component>
+            </Directory>
+        </DirectoryRef>
+
+        <DirectoryRef Id="TARGETDIR">
+            <Component Id="AddToPath" Guid="b5fdaf7e-94f2-4aad-9144-aa3a8edfa675">
+                <Environment Id="CreddyInstallDir" Action="set" Name="PATH" Part="last" Permanent="no" Value="[BinDir]" />
+            </Component>
+        </DirectoryRef>
+
+    </Fragment>
+</Wix>

src-tauri/migrations/20221201002355_initial.sql

@@ -3,12 +3,13 @@ CREATE TABLE credentials (
     access_key_id TEXT NOT NULL,
     secret_key_enc BLOB NOT NULL,
     salt BLOB NOT NULL,
-    nonce BLOB NOT NULL
+    nonce BLOB NOT NULL,
+    created_at INTEGER NOT NULL
 );
 
 CREATE TABLE config (
-    name TEXT,
-    data TEXT
+    name TEXT UNIQUE NOT NULL,
+    data TEXT NOT NULL
 );
 
 CREATE TABLE clients (

src-tauri/src/app.rs

@@ -0,0 +1,95 @@
+use std::error::Error;
+
+use once_cell::sync::OnceCell;
+use sqlx::{
+    SqlitePool,
+    sqlite::SqlitePoolOptions,
+    sqlite::SqliteConnectOptions,
+};
+use tauri::{
+    App,
+    AppHandle,
+    Manager,
+    async_runtime as rt,
+};
+
+use crate::{
+    config::{self, AppConfig},
+    credentials::Session,
+    ipc,
+    server::Server,
+    errors::*,
+    state::AppState,
+    tray,
+};
+
+
+pub static APP: OnceCell<AppHandle> = OnceCell::new();
+
+
+pub fn run() -> tauri::Result<()> {
+    tauri::Builder::default()
+        .plugin(tauri_plugin_single_instance::init(|app, _argv, _cwd| {
+            app.get_window("main")
+                .map(|w| w.show().error_popup("Failed to show main window"));
+        }))
+        .system_tray(tray::create())
+        .on_system_tray_event(tray::handle_event)
+        .invoke_handler(tauri::generate_handler![
+            ipc::unlock,
+            ipc::respond,
+            ipc::get_session_status,
+            ipc::save_credentials,
+            ipc::get_config,
+            ipc::save_config,
+        ])
+        .setup(|app| rt::block_on(setup(app)))
+        .build(tauri::generate_context!())?
+        .run(|app, run_event| match run_event {
+            tauri::RunEvent::WindowEvent { label, event, .. } => match event {
+                tauri::WindowEvent::CloseRequested { api, .. } => {
+                    let _ = app.get_window(&label).map(|w| w.hide());
+                    api.prevent_close();
+                }
+                _ => ()
+            }
+            _ => ()
+        });
+
+    Ok(())
+}
+
+
+pub async fn connect_db() -> Result<SqlitePool, SetupError> {
+    let conn_opts = SqliteConnectOptions::new()
+        .filename(config::get_or_create_db_path()?)
+        .create_if_missing(true);
+    let pool_opts = SqlitePoolOptions::new();
+    let pool: SqlitePool = pool_opts.connect_with(conn_opts).await?;
+    sqlx::migrate!().run(&pool).await?;
+    Ok(pool)
+}
+
+
+async fn setup(app: &mut App) -> Result<(), Box<dyn Error>> {
+    APP.set(app.handle()).unwrap();
+
+    let is_first_launch = config::get_or_create_db_path()?.exists();
+
+    let pool = connect_db().await?;
+    let conf = AppConfig::load(&pool).await?;
+    let session = Session::load(&pool).await?;
+    let srv = Server::new(conf.listen_addr, conf.listen_port, app.handle()).await?;
+
+    config::set_auto_launch(conf.start_on_login)?;
+    // if session is empty, this is probably the first launch, so don't autohide
+    if !conf.start_minimized || is_first_launch {
+        app.get_window("main")
+            .ok_or(HandlerError::NoMainWindow)?
+            .show()?;
+    }
+
+    let state = AppState::new(conf, session, srv, pool);
+    app.manage(state);
+    Ok(())
+}

src-tauri/src/bin/creddy_cli.rs

@@ -0,0 +1,45 @@
+// Windows isn't really amenable to having a single executable work as both a CLI and GUI app,
+// so we just have a second binary for CLI usage
+use creddy::{
+    cli,
+    errors::CliError,
+};
+use std::{
+    env,
+    process::{self, Command},
+};
+
+
+fn main() {
+    let args = cli::parser().get_matches();
+    if let Some(true) = args.get_one::<bool>("help") {
+        cli::parser().print_help().unwrap(); // if we can't print help we can't print an error
+        process::exit(0);
+    }
+
+    let res = match args.subcommand() {
+        None | Some(("run", _)) => launch_gui(),
+        Some(("show", m)) => cli::show(m),
+        Some(("exec", m)) => cli::exec(m),
+        _ => unreachable!(),
+    };
+
+    if let Err(e) = res {
+        eprintln!("Error: {e}");
+    }
+}
+
+
+fn launch_gui() -> Result<(), CliError>  {
+    let mut path = env::current_exe()?;
+    path.pop(); // bin dir
+    
+    // binaries are colocated in dev, but not in production
+    #[cfg(not(debug_assertions))]
+    path.pop(); // install dir
+
+    path.push("creddy.exe"); // exe in main install dir (aka gui exe)
+
+    Command::new(path).spawn()?;
+    Ok(())
+}

src-tauri/src/cli.rs

@@ -0,0 +1,146 @@
+use std::process::Command as ChildCommand;
+#[cfg(unix)]
+use std::os::unix::process::CommandExt;
+
+use clap::{
+    Command,
+     Arg,
+     ArgMatches,
+     ArgAction
+ };
+use tokio::{
+    net::TcpStream,
+    io::{AsyncReadExt, AsyncWriteExt},
+};
+
+
+use crate::app;
+use crate::config::AppConfig;
+use crate::credentials::{BaseCredentials, SessionCredentials};
+use crate::errors::*;
+
+
+pub fn parser() -> Command<'static> {
+    Command::new("creddy")
+        .about("A friendly AWS credentials manager")
+        .subcommand(
+            Command::new("run")
+                .about("Launch Creddy")
+        )
+        .subcommand(
+            Command::new("show")
+                .about("Fetch and display AWS credentials")
+                .arg(
+                    Arg::new("base")
+                        .short('b')
+                        .long("base")
+                        .action(ArgAction::SetTrue)
+                        .help("Use base credentials instead of session credentials")
+                )
+        )
+        .subcommand(
+            Command::new("exec")
+                .about("Inject AWS credentials into the environment of another command")
+                .trailing_var_arg(true)
+                .arg(
+                    Arg::new("base")
+                        .short('b')
+                        .long("base")
+                        .action(ArgAction::SetTrue)
+                        .help("Use base credentials instead of session credentials")
+                )
+                .arg(
+                    Arg::new("command")
+                        .multiple_values(true)
+                )
+        )
+}
+
+
+pub fn show(args: &ArgMatches) -> Result<(), CliError> {
+    let base = args.get_one("base").unwrap_or(&false);
+    let creds = get_credentials(*base)?;
+    println!("{creds}");
+    Ok(())
+}
+
+
+pub fn exec(args: &ArgMatches) -> Result<(), CliError> {
+    let base = *args.get_one("base").unwrap_or(&false);
+    let mut cmd_line = args.get_many("command")
+        .ok_or(ExecError::NoCommand)?;
+
+    let cmd_name: &String = cmd_line.next().unwrap(); // Clap guarantees that there will be at least one
+    let mut cmd = ChildCommand::new(cmd_name);
+    cmd.args(cmd_line);
+    
+    if base {
+        let creds: BaseCredentials = serde_json::from_str(&get_credentials(base)?)
+            .map_err(|_| RequestError::InvalidJson)?;
+        cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
+        cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
+    }
+    else {
+        let creds: SessionCredentials = serde_json::from_str(&get_credentials(base)?)
+            .map_err(|_| RequestError::InvalidJson)?;
+        cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
+        cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
+        cmd.env("AWS_SESSION_TOKEN", creds.token);
+    }
+
+    #[cfg(unix)]
+    {
+        let e = cmd.exec(); // never returns if successful
+        Err(ExecError::ExecutionFailed(e))?;
+        Ok(())
+    }
+
+    #[cfg(windows)]
+    {
+        let mut child = cmd.spawn()
+            .map_err(|e| ExecError::ExecutionFailed(e))?;
+        let status = child.wait()
+            .map_err(|e| ExecError::ExecutionFailed(e))?;
+        std::process::exit(status.code().unwrap_or(1));
+    };
+}
+
+
+#[tokio::main]
+async fn get_credentials(base: bool) -> Result<String, RequestError> {
+    let pool = app::connect_db().await?;
+    let config = AppConfig::load(&pool).await?;
+    let path = if base {"/creddy/base-credentials"} else {"/"};
+
+    let mut stream = TcpStream::connect((config.listen_addr, config.listen_port)).await?;
+    let req = format!("GET {path} HTTP/1.0\r\n\r\n");
+    stream.write_all(req.as_bytes()).await?;
+
+    // some day we'll have a proper HTTP parser
+    let mut buf = vec![0; 8192];
+    stream.read_to_end(&mut buf).await?;
+
+    let status = buf.split(|&c| &[c] == b" ")
+        .skip(1)
+        .next()
+        .ok_or(RequestError::MalformedHttpResponse)?;
+
+    if status != b"200" {
+        let s = String::from_utf8_lossy(status).to_string();
+        return Err(RequestError::Failed(s));
+    }
+
+    let break_idx = buf.windows(4)
+        .position(|w| w == b"\r\n\r\n")
+        .ok_or(RequestError::MalformedHttpResponse)?;
+    let body = &buf[(break_idx + 4)..];
+
+    let creds_str = std::str::from_utf8(body)
+        .map_err(|_| RequestError::MalformedHttpResponse)?
+        .to_string();
+
+    if creds_str == "Denied!" {
+        return Err(RequestError::Rejected);
+    }
+    Ok(creds_str)
+}

src-tauri/src/clientinfo.rs

@@ -1,17 +1,38 @@
+use std::path::PathBuf;
+
 use netstat2::{AddressFamilyFlags, ProtocolFlags, ProtocolSocketInfo};
-use sysinfo::{System, SystemExt, Pid, ProcessExt};
+use tauri::Manager;
+use sysinfo::{System, SystemExt, Pid, PidExt, ProcessExt};
+use serde::{Serialize, Deserialize};
 
-use crate::errors::*;
-use crate::ipc::Client;
+use crate::{
+    app::APP,
+    errors::*,
+    config::AppConfig,
+    state::AppState,
+};
 
 
-fn get_associated_pids(local_port: u16) -> Result<Vec<u32>, netstat2::error::Error> {
-    let mut it = netstat2::iterate_sockets_info(
+#[derive(Clone, Debug, Serialize, Deserialize, Eq, PartialEq, Hash)]
+pub struct Client {
+    pub pid: u32,
+    pub exe: PathBuf,
+}
+
+
+async fn get_associated_pids(local_port: u16) -> Result<Vec<u32>, netstat2::error::Error> {
+    let state = APP.get().unwrap().state::<AppState>();
+    let AppConfig {
+        listen_addr: app_listen_addr,
+        listen_port: app_listen_port,
+        ..
+    } = *state.config.read().await;
+
+    let sockets_iter = netstat2::iterate_sockets_info(
         AddressFamilyFlags::IPV4,
         ProtocolFlags::TCP
     )?;
-
-    for (i, item) in it.enumerate() {
+    for item in sockets_iter {
         let sock_info = item?;
         let proto_info = match sock_info.protocol_socket_info {
             ProtocolSocketInfo::Tcp(tcp_info) => tcp_info,
@@ -19,9 +40,9 @@ fn get_associated_pids(local_port: u16) -> Result<Vec<u32>, netstat2::error::Err
         };
 
         if proto_info.local_port == local_port
-            && proto_info.remote_port == 12345
-            && proto_info.local_addr == std::net::Ipv4Addr::LOCALHOST
-            && proto_info.remote_addr == std::net::Ipv4Addr::LOCALHOST
+            && proto_info.remote_port == app_listen_port
+            && proto_info.local_addr == app_listen_addr
+            && proto_info.remote_addr == app_listen_addr
         {
             return Ok(sock_info.associated_pids)
         }
@@ -30,22 +51,26 @@ fn get_associated_pids(local_port: u16) -> Result<Vec<u32>, netstat2::error::Err
 }
 
 
-// Theoretically, on some systems, multiple processes can share a socket. We have to 
-// account for this even though 99% of the time there will be only one.
-pub fn get_clients(local_port: u16) -> Result<Vec<Client>, ClientInfoError> {
+// Theoretically, on some systems, multiple processes can share a socket
+pub async fn get_clients(local_port: u16) -> Result<Vec<Option<Client>>, ClientInfoError> {
     let mut clients = Vec::new();    
     let mut sys = System::new();
-    for p in get_associated_pids(local_port)? {
-        let pid = Pid::from(p as usize);
+    for p in get_associated_pids(local_port).await? {
+        let pid = Pid::from_u32(p);
         sys.refresh_process(pid);
         let proc = sys.process(pid)
-            .ok_or(ClientInfoError::PidNotFound)?;
+            .ok_or(ClientInfoError::ProcessNotFound)?;
 
         let client = Client {
             pid: p,
-            exe: proc.exe().to_string_lossy().into_owned(),
+            exe: proc.exe().to_path_buf(),
         };
-        clients.push(client);
+        clients.push(Some(client));
     }
+
+    if clients.is_empty() {
+        clients.push(None); 
+    }
+
     Ok(clients)
 }

src-tauri/src/config.rs

@@ -0,0 +1,123 @@
+use std::net::Ipv4Addr;
+use std::path::PathBuf;
+
+use auto_launch::AutoLaunchBuilder;
+use is_terminal::IsTerminal;
+use serde::{Serialize, Deserialize};
+use sqlx::SqlitePool;
+
+use crate::errors::*;
+
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct AppConfig {
+    #[serde(default = "default_listen_addr")]
+    pub listen_addr: Ipv4Addr,
+    #[serde(default = "default_listen_port")]
+    pub listen_port: u16,
+    #[serde(default = "default_rehide_ms")]
+    pub rehide_ms: u64,
+    #[serde(default = "default_start_minimized")]
+    pub start_minimized: bool,
+    #[serde(default = "default_start_on_login")]
+    pub start_on_login: bool,
+}
+
+
+impl Default for AppConfig {
+    fn default() -> Self {
+        AppConfig {
+            listen_addr: default_listen_addr(),
+            listen_port: default_listen_port(),
+            rehide_ms: default_rehide_ms(),
+            start_minimized: default_start_minimized(),
+            start_on_login: default_start_on_login(),
+        }
+    }
+}
+
+
+impl AppConfig {
+    pub async fn load(pool: &SqlitePool) -> Result<AppConfig, SetupError> {
+        let res = sqlx::query!("SELECT * from config where name = 'main'")
+            .fetch_optional(pool)
+            .await?;
+
+        let row = match res {
+            Some(row) => row,
+            None => return Ok(AppConfig::default()),
+        };
+
+        Ok(serde_json::from_str(&row.data)?)
+    }
+
+    pub async fn save(&self, pool: &SqlitePool) -> Result<(), sqlx::error::Error> {
+        let data = serde_json::to_string(self).unwrap();
+        sqlx::query(
+            "INSERT INTO config (name, data) VALUES ('main', ?)
+            ON CONFLICT (name) DO UPDATE SET data = ?"
+        )
+            .bind(&data)
+            .bind(&data)
+            .execute(pool)
+            .await?;
+
+        Ok(())
+    }
+}
+
+
+pub fn set_auto_launch(is_configured: bool) -> Result<(), SetupError> {
+    let path_buf = std::env::current_exe()
+        .map_err(|e| auto_launch::Error::Io(e))?;
+    let path = path_buf
+        .to_string_lossy();
+
+    let auto = AutoLaunchBuilder::new()
+        .set_app_name("Creddy")
+        .set_app_path(&path)
+        .build()?;
+
+    let is_enabled = auto.is_enabled()?;
+    if is_configured && !is_enabled {
+        auto.enable()?;
+    }
+    else if !is_configured && is_enabled {
+        auto.disable()?;
+    }
+
+    Ok(())
+}
+
+
+pub fn get_or_create_db_path() -> Result<PathBuf, DataDirError> {
+    let mut path = dirs::data_dir()
+        .ok_or(DataDirError::NotFound)?;
+    path.push("Creddy");
+
+    std::fs::create_dir_all(&path)?;
+    if cfg!(debug_assertions) && std::io::stdout().is_terminal() {
+        path.push("creddy.dev.db");
+    }
+    else {
+        path.push("creddy.db");
+    }
+
+    Ok(path)
+}
+
+
+fn default_listen_port() -> u16 {
+    if cfg!(debug_assertions) {
+        12_345
+    }
+    else {
+        19_923
+    }
+}
+
+fn default_listen_addr() -> Ipv4Addr { Ipv4Addr::LOCALHOST }
+fn default_rehide_ms() -> u64 { 1000 }
+// start minimized and on login only in production mode
+fn default_start_minimized() -> bool { !cfg!(debug_assertions) }
+fn default_start_on_login() -> bool { !cfg!(debug_assertions) }

src-tauri/src/credentials.rs

@@ -0,0 +1,321 @@
+use std::fmt::{self, Formatter};
+use std::time::{SystemTime, UNIX_EPOCH};
+
+ use aws_smithy_types::date_time::{DateTime, Format};
+use argon2::{
+    Argon2,
+    Algorithm,
+    Version,
+    ParamsBuilder,
+    password_hash::rand_core::{RngCore, OsRng},
+};
+use chacha20poly1305::{
+    XChaCha20Poly1305,
+    XNonce,
+    aead::{
+        Aead,
+        AeadCore,
+        KeyInit,
+        Error as AeadError,
+        generic_array::GenericArray,
+    },
+};
+use serde::{
+    Serialize,
+    Deserialize,
+    Serializer,
+    Deserializer,
+};
+use serde::de::{self, Visitor};
+use sqlx::SqlitePool;
+
+
+use crate::errors::*;
+
+
+#[derive(Clone, Debug)]
+pub enum Session {
+    Unlocked{
+        base: BaseCredentials,
+        session: SessionCredentials,
+    },
+    Locked(LockedCredentials),
+    Empty,
+}
+
+impl Session {
+    pub async fn load(pool: &SqlitePool) -> Result<Self, SetupError> {
+        let res = sqlx::query!("SELECT * FROM credentials ORDER BY created_at desc")
+            .fetch_optional(pool)
+            .await?;
+        let row = match res {
+            Some(r) => r,
+            None => {return Ok(Session::Empty);}
+        };
+
+        let salt: [u8; 32] = row.salt
+            .try_into()
+            .map_err(|_e| SetupError::InvalidRecord)?;
+        let nonce = XNonce::from_exact_iter(row.nonce.into_iter())
+            .ok_or(SetupError::InvalidRecord)?;
+
+        let creds = LockedCredentials {
+            access_key_id: row.access_key_id,
+            secret_key_enc: row.secret_key_enc,
+            salt,
+            nonce,
+        };
+        Ok(Session::Locked(creds))
+    }
+
+    pub async fn renew_if_expired(&mut self) -> Result<bool, GetSessionError> {
+        match self {
+            Session::Unlocked{ref base, ref mut session} => {
+                if !session.is_expired() {
+                    return Ok(false);
+                }
+                *session = SessionCredentials::from_base(base).await?;
+                Ok(true)
+            },
+            Session::Locked(_) => Err(GetSessionError::CredentialsLocked),
+            Session::Empty => Err(GetSessionError::CredentialsEmpty),
+        }
+    }
+}
+
+
+#[derive(Clone, Debug)]
+pub struct LockedCredentials {
+    pub access_key_id: String,
+    pub secret_key_enc: Vec<u8>,
+    pub salt: [u8; 32],
+    pub nonce: XNonce,
+}
+
+impl LockedCredentials {
+    pub async fn save(&self, pool: &SqlitePool) -> Result<(), sqlx::Error> {
+        sqlx::query(
+            "INSERT INTO credentials (access_key_id, secret_key_enc, salt, nonce, created_at)
+            VALUES (?, ?, ?, ?, strftime('%s'))"
+        )
+            .bind(&self.access_key_id)
+            .bind(&self.secret_key_enc)
+            .bind(&self.salt[..])
+            .bind(&self.nonce[..])
+            .execute(pool)
+            .await?;
+
+        Ok(())
+    }
+
+    pub fn decrypt(&self, passphrase: &str) -> Result<BaseCredentials, UnlockError> {
+        let crypto = Crypto::new(passphrase, &self.salt)
+            .map_err(|e| CryptoError::Argon2(e))?;
+        let decrypted = crypto.decrypt(&self.nonce, &self.secret_key_enc)
+            .map_err(|e| CryptoError::Aead(e))?;
+        let secret_access_key = String::from_utf8(decrypted)
+            .map_err(|_| UnlockError::InvalidUtf8)?;
+
+        let creds = BaseCredentials {
+            access_key_id: self.access_key_id.clone(),
+            secret_access_key,
+        };
+        Ok(creds)
+    }
+}
+
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct BaseCredentials {
+    pub access_key_id: String,
+    pub secret_access_key: String,
+}
+
+impl BaseCredentials {
+    pub fn encrypt(&self, passphrase: &str) -> Result<LockedCredentials, CryptoError> {
+        let salt = Crypto::salt();
+        let crypto = Crypto::new(passphrase, &salt)?;
+        let (nonce, secret_key_enc) = crypto.encrypt(self.secret_access_key.as_bytes())?;
+
+        let locked = LockedCredentials {
+            access_key_id: self.access_key_id.clone(),
+            secret_key_enc,
+            salt,
+            nonce,
+        };
+        Ok(locked)
+    }
+}
+
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct SessionCredentials {
+    pub access_key_id: String,
+    pub secret_access_key: String,
+    pub token: String,
+    #[serde(serialize_with = "serialize_expiration")]
+    #[serde(deserialize_with = "deserialize_expiration")]
+    pub expiration: DateTime,
+}
+
+impl SessionCredentials {
+    pub async fn from_base(base: &BaseCredentials) -> Result<Self, GetSessionError> {
+        let req_creds = aws_sdk_sts::Credentials::new(
+            &base.access_key_id,
+            &base.secret_access_key,
+            None, // token
+            None, //expiration
+            "Creddy", // "provider name" apparently
+        );
+        let config = aws_config::from_env()
+            .credentials_provider(req_creds)
+            .load()
+            .await;
+
+        let client = aws_sdk_sts::Client::new(&config);
+        let resp = client.get_session_token()
+            .duration_seconds(43_200)
+            .send()
+            .await?;
+
+        let aws_session = resp.credentials().ok_or(GetSessionError::EmptyResponse)?;
+
+        let access_key_id = aws_session.access_key_id()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .to_string();
+        let secret_access_key = aws_session.secret_access_key()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .to_string();
+        let token = aws_session.session_token()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .to_string();
+        let expiration = aws_session.expiration()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .clone();
+
+        let session_creds = SessionCredentials {
+            access_key_id,
+            secret_access_key,
+            token,
+            expiration,
+        };
+
+        #[cfg(debug_assertions)]
+        println!("Got new session:\n{}", serde_json::to_string(&session_creds).unwrap());
+
+        Ok(session_creds)
+    }
+
+    pub fn is_expired(&self) -> bool {
+        let current_ts = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap() // doesn't panic because UNIX_EPOCH won't be later than now()
+            .as_secs();
+
+        let expire_ts = self.expiration.secs();
+        let remaining = expire_ts - (current_ts as i64);
+        remaining < 60
+    }
+}
+
+fn serialize_expiration<S>(exp: &DateTime, serializer: S) -> Result<S::Ok, S::Error>
+where S: Serializer
+{
+    // this only fails if the d/t is out of range, which it can't be for this format
+    let time_str = exp.fmt(Format::DateTime).unwrap();
+    serializer.serialize_str(&time_str)
+}
+
+
+struct DateTimeVisitor;
+
+impl<'de> Visitor<'de> for DateTimeVisitor {
+    type Value = DateTime;
+
+    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
+        write!(formatter, "an RFC 3339 UTC string, e.g. \"2014-01-05T10:17:34Z\"")
+    }
+
+    fn visit_str<E: de::Error>(self, v: &str) -> Result<DateTime, E> {
+        DateTime::from_str(v, Format::DateTime)
+            .map_err(|_| E::custom(format!("Invalid date/time: {v}")))
+    }
+}
+
+
+fn deserialize_expiration<'de, D>(deserializer: D) -> Result<DateTime, D::Error>
+where D: Deserializer<'de>
+{
+    deserializer.deserialize_str(DateTimeVisitor)
+}
+
+
+struct Crypto {
+    cipher: XChaCha20Poly1305,
+}
+
+impl Crypto {
+    /// Argon2 params rationale:
+    ///
+    /// m_cost is measured in KiB, so 128 * 1024 gives us 128MiB.
+    /// This should roughly double the memory usage of the application
+    /// while deriving the key.
+    ///
+    /// p_cost is irrelevant since (at present) there isn't any parallelism
+    /// implemented, so we leave it at 1.
+    ///
+    /// With the above m_cost, t_cost = 8 results in about 800ms to derive
+    /// a key on my (somewhat older) CPU. This is probably overkill, but
+    /// given that it should only have to happen ~once a day for most 
+    /// usage, it should be acceptable.
+    #[cfg(not(debug_assertions))]
+    const MEM_COST: u32 = 128 * 1024;
+    #[cfg(not(debug_assertions))]
+    const TIME_COST: u32 = 8;
+
+    /// But since this takes a million years without optimizations,
+    /// we turn it way down in debug builds.
+    #[cfg(debug_assertions)]
+    const MEM_COST: u32 = 48 * 1024;
+    #[cfg(debug_assertions)]
+    const TIME_COST: u32 = 1;
+    
+
+    fn new(passphrase: &str, salt: &[u8]) -> argon2::Result<Crypto> {
+        let params = ParamsBuilder::new()
+            .m_cost(Self::MEM_COST)
+            .p_cost(1)
+            .t_cost(Self::TIME_COST)
+            .build()
+            .unwrap(); // only errors if the given params are invalid
+
+        let hasher = Argon2::new(
+            Algorithm::Argon2id,
+            Version::V0x13,
+            params,
+        );
+
+        let mut key = [0; 32];
+        hasher.hash_password_into(passphrase.as_bytes(), &salt, &mut key)?;
+        let cipher = XChaCha20Poly1305::new(GenericArray::from_slice(&key));
+        Ok(Crypto { cipher })
+    }
+
+    fn salt() -> [u8; 32] {
+        let mut salt = [0; 32];
+        OsRng.fill_bytes(&mut salt);
+        salt
+    }
+
+    fn encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), AeadError> {
+        let nonce = XChaCha20Poly1305::generate_nonce(&mut OsRng);
+        let ciphertext = self.cipher.encrypt(&nonce, data)?;
+        Ok((nonce, ciphertext))
+    }
+
+    fn decrypt(&self, nonce: &XNonce, data: &[u8]) -> Result<Vec<u8>, AeadError> {
+        self.cipher.decrypt(nonce, data)
+    }
+}

src-tauri/src/errors.rs

@@ -1,144 +1,329 @@
-use std::fmt::{Display, Formatter};
-use std::convert::From;
-use std::str::Utf8Error;
+use std::error::Error;
+use std::convert::AsRef;
+use std::sync::mpsc;
+use strum_macros::AsRefStr;
 
+use thiserror::Error as ThisError;
+use aws_sdk_sts::{
+    types::SdkError as AwsSdkError, 
+    error::GetSessionTokenError,
+};
 use sqlx::{
     error::Error as SqlxError,
     migrate::MigrateError,
 };
+use tauri::api::dialog::{
+    MessageDialogBuilder, 
+    MessageDialogKind,
+};
+use serde::{Serialize, Serializer, ser::SerializeMap};
+
+
+pub trait ErrorPopup {
+    fn error_popup(self, title: &str);
+}
+
+impl<E: Error> ErrorPopup for Result<(), E> {
+    fn error_popup(self, title: &str) {
+        if let Err(e) = self {
+            let (tx, rx) = mpsc::channel();
+            MessageDialogBuilder::new(title, format!("{e}"))
+                .kind(MessageDialogKind::Error)
+                .show(move |_| tx.send(true).unwrap());
+
+            rx.recv().unwrap();
+        }
+    }
+}
+
+
+fn serialize_basic_err<E, S>(err: &E, serializer: S) -> Result<S::Ok, S::Error>
+where
+    E: std::error::Error + AsRef<str>,
+    S: Serializer,
+{
+    let mut map = serializer.serialize_map(None)?;
+    map.serialize_entry("code", err.as_ref())?;
+    map.serialize_entry("msg", &format!("{err}"))?;
+    if let Some(src) = err.source() {
+        map.serialize_entry("source", &format!("{src}"))?;
+    }
+    map.end()
+}
+
+
+fn serialize_upstream_err<E, M>(err: &E, map: &mut M) -> Result<(), M::Error> 
+where
+    E: Error,
+    M: serde::ser::SerializeMap,
+{
+    let msg = err.source().map(|s| format!("{s}"));
+    map.serialize_entry("msg", &msg)?;
+    map.serialize_entry("code", &None::<&str>)?;
+    map.serialize_entry("source", &None::<&str>)?;
+
+    Ok(())
+}
+
+
+macro_rules! impl_serialize_basic {
+    ($err_type:ident) => {
+        impl Serialize for $err_type {
+            fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+                serialize_basic_err(self, serializer)
+            }
+        }
+    }
+}
 
 
 // error during initial setup (primarily loading state from db)
+#[derive(Debug, ThisError, AsRefStr)]
 pub enum SetupError {
+    #[error("Invalid database record")]
     InvalidRecord, // e.g. wrong size blob for nonce or salt
-    DbError(SqlxError),
-}
-impl From<SqlxError> for SetupError {
-    fn from(e: SqlxError) -> SetupError {
-        SetupError::DbError(e)
-    }
-}
-impl From<MigrateError> for SetupError {
-    fn from (e: MigrateError) -> SetupError {
-        SetupError::DbError(SqlxError::from(e))
-    }
-}
-impl Display for SetupError {
-    fn fmt(&self, f: &mut Formatter) -> Result<(), std::fmt::Error> {
-        match self {
-            SetupError::InvalidRecord => write!(f, "Malformed database record"),
-            SetupError::DbError(e) => write!(f, "Error from database: {e}"),
-        }
-    }
+    #[error("Error from database: {0}")]
+    DbError(#[from] SqlxError),
+    #[error("Error running migrations: {0}")]
+    MigrationError(#[from] MigrateError),
+    #[error("Error parsing configuration from database")]
+    ConfigParseError(#[from] serde_json::Error),
+    #[error("Failed to set up start-on-login: {0}")]
+    AutoLaunchError(#[from] auto_launch::Error),
+    #[error("Failed to start listener: {0}")]
+    ServerSetupError(#[from] std::io::Error),
+    #[error("Failed to resolve data directory: {0}")]
+    DataDir(#[from] DataDirError),
 }
 
 
-// error when attempting to tell a request handler whether to release or deny crednetials
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum DataDirError {
+    #[error("Could not determine data directory")]
+    NotFound,
+    #[error("Failed to create data directory: {0}")]
+    Io(#[from] std::io::Error),
+}
+
+
+// error when attempting to tell a request handler whether to release or deny credentials
+#[derive(Debug, ThisError, AsRefStr)]
 pub enum SendResponseError {
-    NotFound, // no request with the given id
-    Abandoned, // request has already been closed by client
-}
-
-impl Display for SendResponseError {
-    fn fmt(&self, f: &mut Formatter) -> Result<(), std::fmt::Error> {
-        use SendResponseError::*;
-        match self {
-            NotFound => write!(f, "The specified command was not found."),
-            Abandoned => write!(f, "The specified request was closed by the client."),
-        }
-    }
+    #[error("The specified credentials request was not found")]
+    NotFound,
+    #[error("The specified request was already closed by the client")]
+    Abandoned,
+    #[error("Could not renew AWS sesssion: {0}")]
+    SessionRenew(#[from] GetSessionError),
 }
 
 
 // errors encountered while handling an HTTP request
-pub enum RequestError {
-    StreamIOError(std::io::Error),
-    InvalidUtf8,
-    MalformedHttpRequest,
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum HandlerError {
+    #[error("Error writing to stream: {0}")]
+    StreamIOError(#[from] std::io::Error),
+    // #[error("Received invalid UTF-8 in request")]
+    // InvalidUtf8,
+    #[error("HTTP request malformed")]
+    BadRequest(Vec<u8>),
+    #[error("HTTP request too large")]
     RequestTooLarge,
-    NoCredentials(GetCredentialsError),
-    ClientInfo(ClientInfoError),
-}
-impl From<tokio::io::Error> for RequestError {
-    fn from(e: std::io::Error) -> RequestError {
-        RequestError::StreamIOError(e)
-    }
-}
-impl From<Utf8Error> for RequestError {
-    fn from(_e: Utf8Error) -> RequestError {
-        RequestError::InvalidUtf8
-    }
-}
-impl From<GetCredentialsError> for RequestError {
-    fn from (e: GetCredentialsError) -> RequestError {
-        RequestError::NoCredentials(e)
-    }
-}
-impl From<ClientInfoError> for RequestError {
-    fn from(e: ClientInfoError) -> RequestError {
-        RequestError::ClientInfo(e)
-    }
-}
-
-impl Display for RequestError {
-    fn fmt(&self, f: &mut Formatter) -> Result<(), std::fmt::Error> {
-        use RequestError::*;
-        match self {
-            StreamIOError(e) => write!(f, "Stream IO error: {e}"),
-            InvalidUtf8 => write!(f, "Could not decode UTF-8 from bytestream"),
-            MalformedHttpRequest => write!(f, "Maformed HTTP request"),
-            RequestTooLarge => write!(f, "HTTP request too large"),
-            NoCredentials(GetCredentialsError::Locked) => write!(f, "Recieved go-ahead but app is locked"),
-            NoCredentials(GetCredentialsError::Empty) => write!(f, "Received go-ahead but no credentials are known"),
-            ClientInfo(ClientInfoError::PidNotFound) => write!(f, "Could not resolve PID of client process."),
-            ClientInfo(ClientInfoError::NetstatError(e)) => write!(f, "Error getting client socket details: {e}"),
-        }
-    }
+    #[error("Error accessing credentials: {0}")]
+    NoCredentials(#[from] GetCredentialsError),
+    #[error("Error getting client details: {0}")]
+    ClientInfo(#[from] ClientInfoError),
+    #[error("Error from Tauri: {0}")]
+    Tauri(#[from] tauri::Error),
+    #[error("No main application window found")]
+    NoMainWindow,
 }
 
 
+#[derive(Debug, ThisError, AsRefStr)]
 pub enum GetCredentialsError {
+    #[error("Credentials are currently locked")]
     Locked,
+    #[error("No credentials are known")]
     Empty,
 }
 
 
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum GetSessionError {
+    #[error("Request completed successfully but no credentials were returned")]
+    EmptyResponse, // SDK returned successfully but credentials are None
+    #[error("Error response from AWS SDK: {0}")]
+    SdkError(#[from] AwsSdkError<GetSessionTokenError>),
+    #[error("Could not construt session: credentials are locked")]
+    CredentialsLocked,
+    #[error("Could not construct session: no credentials are known")]
+    CredentialsEmpty,
+}
+
+
+#[derive(Debug, ThisError, AsRefStr)]
 pub enum UnlockError {
+    #[error("App is not locked")]
     NotLocked,
+    #[error("No saved credentials were found")]
     NoCredentials,
-    BadPassphrase,
+    #[error(transparent)]
+    Crypto(#[from] CryptoError),
+    #[error("Data was found to be corrupt after decryption")]
     InvalidUtf8, // Somehow we got invalid utf-8 even though decryption succeeded
-    DbError(SqlxError),
+    #[error("Database error: {0}")]
+    DbError(#[from] SqlxError),
+    #[error("Failed to create AWS session: {0}")]
+    GetSession(#[from] GetSessionError),
 }
-impl From<SqlxError> for UnlockError {
-    fn from (e: SqlxError) -> UnlockError {
-        match e {
-            SqlxError::RowNotFound => UnlockError::NoCredentials,
-            _ => UnlockError::DbError(e),
-        }
-    }
-}
-impl Display for UnlockError {
-    fn fmt(&self, f: &mut Formatter) -> Result<(), std::fmt::Error> {
-        use UnlockError::*;
-        match self {
-            NotLocked => write!(f, "App is not locked"),
-            NoCredentials => write!(f, "No saved credentials were found"),
-            BadPassphrase => write!(f, "Invalid passphrase"),
-            InvalidUtf8 => write!(f, "Decrypted data was corrupted"),
-            DbError(e) => write!(f, "Database error: {e}"),
-        }
-    }
+
+
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum CryptoError {
+    #[error(transparent)]
+    Argon2(#[from] argon2::Error),
+    #[error("Invalid passphrase")] // I think this is the only way decryption fails
+    Aead(#[from] chacha20poly1305::aead::Error),
 }
 
 
 // Errors encountered while trying to figure out who's on the other end of a request
+#[derive(Debug, ThisError, AsRefStr)]
 pub enum ClientInfoError {
-    PidNotFound,
-    NetstatError(netstat2::error::Error),
+    #[error("Found PID for client socket, but no corresponding process")]
+    ProcessNotFound,
+    #[error("Couldn't get client socket details: {0}")]
+    NetstatError(#[from] netstat2::error::Error),
 }
-impl From<netstat2::error::Error> for ClientInfoError {
-    fn from(e: netstat2::error::Error) -> ClientInfoError {
-        ClientInfoError::NetstatError(e)
+
+
+// Errors encountered while requesting credentials via CLI (creddy show, creddy exec)
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum RequestError {
+    #[error("Credentials request failed: HTTP {0}")]
+    Failed(String),
+    #[error("Credentials request was rejected")]
+    Rejected,
+    #[error("Couldn't interpret the server's response")]
+    MalformedHttpResponse,
+    #[error("The server did not respond with valid JSON")]
+    InvalidJson,
+    #[error("Error reading/writing stream: {0}")]
+    StreamIOError(#[from] std::io::Error),
+    #[error("Error loading configuration data: {0}")]
+    Setup(#[from] SetupError),
+}
+
+
+// Errors encountered while running a subprocess (via creddy exec)
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum ExecError {
+    #[error("Please specify a command")]
+    NoCommand,
+    #[error("Failed to execute command: {0}")]
+    ExecutionFailed(#[from] std::io::Error)
+}
+
+
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum CliError {
+    #[error(transparent)]
+    Request(#[from] RequestError),
+    #[error(transparent)]
+    Exec(#[from] ExecError),
+    #[error(transparent)]
+    Io(#[from] std::io::Error),
+}
+
+
+// =========================
+// Serialize implementations
+// =========================
+
+
+struct SerializeWrapper<E>(pub E);
+
+impl Serialize for SerializeWrapper<&GetSessionTokenError> {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let err = self.0;
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", &err.code())?;
+        map.serialize_entry("msg", &err.message())?;
+        map.serialize_entry("source", &None::<&str>)?;
+        map.end()
+    }
+}
+
+
+
+impl_serialize_basic!(SetupError);
+impl_serialize_basic!(GetCredentialsError);
+impl_serialize_basic!(ClientInfoError);
+
+
+impl Serialize for HandlerError {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", self.as_ref())?;
+        map.serialize_entry("msg", &format!("{self}"))?;
+
+        match self {
+            HandlerError::NoCredentials(src) => map.serialize_entry("source", &src)?,
+            HandlerError::ClientInfo(src) => map.serialize_entry("source", &src)?,
+            _ => serialize_upstream_err(self, &mut map)?,
+        }
+
+        map.end()
+    }
+}
+
+
+impl Serialize for SendResponseError {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", self.as_ref())?;
+        map.serialize_entry("msg", &format!("{self}"))?;
+
+        match self {
+            SendResponseError::SessionRenew(src) => map.serialize_entry("source", &src)?,
+            _ => serialize_upstream_err(self, &mut map)?,
+        }
+
+        map.end()
+    }
+}
+
+
+impl Serialize for GetSessionError {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", self.as_ref())?;
+        map.serialize_entry("msg", &format!("{self}"))?;
+
+        match self {
+            GetSessionError::SdkError(AwsSdkError::ServiceError(se_wrapper)) => {
+                let err = se_wrapper.err();
+                map.serialize_entry("source", &SerializeWrapper(err))?
+            }
+            _ => serialize_upstream_err(self, &mut map)?,
+        }
+
+        map.end()
+    }
+}
+
+
+impl Serialize for UnlockError {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", self.as_ref())?;
+        map.serialize_entry("msg", &format!("{self}"))?;
+
+        match self {
+            UnlockError::GetSession(src) => map.serialize_entry("source", &src)?,
+            _ => serialize_upstream_err(self, &mut map)?,
+        }
+        map.end()
     }
 }

src-tauri/src/ipc.rs

@@ -1,31 +1,29 @@
 use serde::{Serialize, Deserialize};
 use tauri::State;
 
-use crate::state::{AppState, Session, Credentials};
+use crate::config::AppConfig;
+use crate::credentials::{Session,BaseCredentials};
+use crate::errors::*;
+use crate::clientinfo::Client;
+use crate::state::AppState;
 
 
-#[derive(Clone, Serialize, Deserialize)]
-pub struct Client {
-    pub pid: u32,
-    pub exe: String,
-}
-
-
-#[derive(Clone, Serialize, Deserialize)]
+#[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct Request {
     pub id: u64,
-    pub clients: Vec<Client>,
+    pub clients: Vec<Option<Client>>,
+    pub base: bool,
 }
 
 
-#[derive(Serialize, Deserialize)]
+#[derive(Debug, Serialize, Deserialize)]
 pub struct RequestResponse {
     pub id: u64,
     pub approval: Approval,
 }
 
 
-#[derive(Serialize, Deserialize)]
+#[derive(Debug, Serialize, Deserialize)]
 pub enum Approval {
     Approved,
     Denied,
@@ -33,38 +31,50 @@ pub enum Approval {
 
 
 #[tauri::command]
-pub fn respond(response: RequestResponse, app_state: State<'_, AppState>) -> Result<(), String> {
-    app_state.send_response(response)
-        .map_err(|e| format!("Error responding to request: {e}"))
+pub async fn respond(response: RequestResponse, app_state: State<'_, AppState>) -> Result<(), SendResponseError> {
+    app_state.send_response(response).await
 }
 
 
 #[tauri::command]
-pub async fn unlock(passphrase: String, app_state: State<'_, AppState>) -> Result<(), String> {
-    app_state.decrypt(&passphrase)
-        .await
-        .map_err(|e| e.to_string())
+pub async fn unlock(passphrase: String, app_state: State<'_, AppState>) -> Result<(), UnlockError> {
+    app_state.unlock(&passphrase).await
 }
 
 
 #[tauri::command]
-pub fn get_session_status(app_state: State<'_, AppState>) -> String {
-    let session = app_state.session.read().unwrap();
-    match *session {
+pub async fn get_session_status(app_state: State<'_, AppState>) -> Result<String, ()> {
+    let session = app_state.session.read().await;
+    let status = match *session {
         Session::Locked(_) => "locked".into(),
-        Session::Unlocked(_) => "unlocked".into(),
+        Session::Unlocked{..} => "unlocked".into(),
         Session::Empty => "empty".into()
-    }
+    };
+    Ok(status)
 }
 
 
 #[tauri::command]
 pub async fn save_credentials(
-    credentials: Credentials,
+    credentials: BaseCredentials,
     passphrase: String,
     app_state: State<'_, AppState>
-) -> Result<(), String> {
-    app_state.save_creds(credentials, &passphrase)
-        .await
-        .map_err(|e| e.to_string())
+) -> Result<(), UnlockError> {
+    app_state.new_creds(credentials, &passphrase).await
+}
+
+
+#[tauri::command]
+pub async fn get_config(app_state: State<'_, AppState>) -> Result<AppConfig, ()> {
+    let config = app_state.config.read().await;
+    Ok(config.clone())
+}
+
+
+#[tauri::command]
+pub async fn save_config(config: AppConfig, app_state: State<'_, AppState>) -> Result<(), String>  {
+    app_state.update_config(config)
+        .await
+        .map_err(|e| format!("Error saving config: {e}"))?;
+        Ok(())
 }

src-tauri/src/lib.rs

@@ -0,0 +1,10 @@
+pub mod app;
+pub mod cli;
+mod config;
+mod credentials;
+pub mod errors;
+mod clientinfo;
+mod ipc;
+mod state;
+mod server;
+mod tray;

src-tauri/src/main.rs

@@ -3,35 +3,25 @@
     windows_subsystem = "windows"
 )]
 
-use std::str::FromStr;
-
-mod errors;
-mod clientinfo;
-mod ipc;
-mod state;
-mod server;
-mod storage;
+use creddy::{
+    app,
+    cli,
+    errors::ErrorPopup,
+};
 
 
 fn main() {
-    let initial_state = match state::AppState::new() {
-        Ok(state) => state,
-        Err(e) => {eprintln!("{}", e); return;}
+    let res = match cli::parser().get_matches().subcommand() {
+        None | Some(("run", _)) => {
+            app::run().error_popup("Creddy failed to start");
+            Ok(())
+        },
+        Some(("show", m)) => cli::show(m),
+        Some(("exec", m)) => cli::exec(m),
+        _ => unreachable!(),
     };
 
-    tauri::Builder::default()
-        .manage(initial_state)
-        .invoke_handler(tauri::generate_handler![
-            ipc::unlock,
-            ipc::respond,
-            ipc::get_session_status,
-            ipc::save_credentials,
-        ])
-        .setup(|app| {
-            let addr = std::net::SocketAddrV4::from_str("127.0.0.1:12345").unwrap();
-            tauri::async_runtime::spawn(server::serve(addr, app.handle()));
-            Ok(())
-        })
-        .run(tauri::generate_context!())
-        .expect("error while running tauri application");
-}
+    if let Err(e) = res {
+        eprintln!("Error: {e}");
+    }
+}

src-tauri/src/server.rs

@@ -1,97 +1,243 @@
+use core::time::Duration;
 use std::io;
-use std::net::SocketAddrV4;
-use tokio::net::{TcpListener, TcpStream};
+use std::net::{
+    Ipv4Addr,
+    SocketAddr,
+    SocketAddrV4,
+};
+use tokio::net::{
+    TcpListener, 
+    TcpStream,
+};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::sync::oneshot;
+use tokio::time::sleep;
 
 use tauri::{AppHandle, Manager};
+use tauri::async_runtime as rt;
+use tauri::async_runtime::JoinHandle;
 
-use crate::clientinfo;
-use crate::errors::RequestError;
+use crate::{clientinfo, clientinfo::Client};
+use crate::errors::*;
 use crate::ipc::{Request, Approval};
+use crate::state::AppState;
 
 
-pub async fn serve(addr: SocketAddrV4, app_handle: AppHandle) -> io::Result<()> {
-    let listener = TcpListener::bind(&addr).await?;
-    println!("Listening on {addr}");
-    loop {
-        let new_handle = app_handle.app_handle();
-        match listener.accept().await {
-            Ok((stream, _)) => {
-                tokio::spawn(async {
-                    if let Err(e) = handle(stream, new_handle).await {
-                        eprintln!("{e}");
-                    }
-                });
+struct Handler {
+    request_id: u64,
+    stream: TcpStream,
+    receiver: Option<oneshot::Receiver<Approval>>,
+    app: AppHandle,
+}
+
+impl Handler {
+    async fn new(stream: TcpStream, app: AppHandle) -> Self {
+        let state = app.state::<AppState>();
+        let (chan_send, chan_recv) = oneshot::channel();
+        let request_id = state.register_request(chan_send).await;
+        Handler { 
+            request_id,
+            stream,
+            receiver: Some(chan_recv),
+            app
+        }
+    }
+
+    async fn handle(mut self) {
+        if let Err(e) = self.try_handle().await {
+            eprintln!("{e}");
+        }
+        let state = self.app.state::<AppState>();
+        state.unregister_request(self.request_id).await;
+    }
+
+    async fn try_handle(&mut self) -> Result<(), HandlerError> {
+        let req_path = self.recv_request().await?;
+        let clients = self.get_clients().await?;
+        if self.includes_banned(&clients).await {
+            self.stream.write(b"HTTP/1.0 403 Access Denied\r\n\r\n").await?;
+            return Ok(())
+        }
+        let base = req_path == b"/creddy/base-credentials";
+        
+        let req = Request {id: self.request_id, clients, base};
+        self.app.emit_all("credentials-request", &req)?;
+        let starting_visibility = self.show_window()?;
+
+        match self.wait_for_response().await? {
+            Approval::Approved => {
+                let state = self.app.state::<AppState>();
+                let creds = if base {
+                    state.serialize_base_creds().await?
+                }
+                else {
+                    state.serialize_session_creds().await?
+                };
+                self.send_body(creds.as_bytes()).await?;
             },
-            Err(e) => {
-                eprintln!("Error accepting connection: {e}");
+            Approval::Denied => {
+                let state = self.app.state::<AppState>();
+                for client in req.clients {
+                    state.add_ban(client).await;
+                }
+                self.send_body(b"Denied!").await?;
+                self.stream.shutdown().await?;
+            }
+        }
+
+        // only hide the window if a) it was hidden to start with
+        // and b) there are no other pending requests
+        let state = self.app.state::<AppState>();
+        let delay = {
+            let config = state.config.read().await;
+            Duration::from_millis(config.rehide_ms)
+        };
+        sleep(delay).await;
+
+        if !starting_visibility && state.req_count().await == 0 {
+            let window = self.app.get_window("main").ok_or(HandlerError::NoMainWindow)?;
+            window.hide()?;
+        }
+
+        Ok(())
+    }
+
+    async fn recv_request(&mut self) -> Result<Vec<u8>, HandlerError> {
+        let mut buf = vec![0; 8192]; // it's what tokio's BufReader uses
+        let mut n = 0;
+        loop {
+            n += self.stream.read(&mut buf[n..]).await?;
+            if n >= 4 && &buf[(n - 4)..n] == b"\r\n\r\n" {break;}
+            if n == buf.len() {return Err(HandlerError::RequestTooLarge);}
+        }
+
+        let path = buf.split(|&c| &[c] == b" ")
+            .skip(1)
+            .next()
+            .ok_or(HandlerError::BadRequest(buf.clone()))?;
+
+        #[cfg(debug_assertions)] {
+            println!("Path: {}", std::str::from_utf8(&path).unwrap());
+            println!("{}", std::str::from_utf8(&buf).unwrap());
+        }
+
+        Ok(path.into())
+    }
+
+    async fn get_clients(&self) -> Result<Vec<Option<Client>>, HandlerError> {
+        let peer_addr = match self.stream.peer_addr()? {
+            SocketAddr::V4(addr) => addr,
+            _ => unreachable!(), // we only listen on IPv4
+        };
+        let clients = clientinfo::get_clients(peer_addr.port()).await?;
+        Ok(clients)
+    }
+
+    async fn includes_banned(&self, clients: &Vec<Option<Client>>) -> bool {
+        let state = self.app.state::<AppState>();
+        for client in clients {
+            if state.is_banned(client).await {
+                return true;
+            }
+        }
+        false
+    }
+
+    fn show_window(&self) -> Result<bool, HandlerError> {
+        let window = self.app.get_window("main").ok_or(HandlerError::NoMainWindow)?;
+        let starting_visibility = window.is_visible()?;
+        if !starting_visibility {
+            window.unminimize()?;
+            window.show()?;
+        }
+        window.set_focus()?;
+        Ok(starting_visibility)
+    }
+
+    async fn wait_for_response(&mut self) -> Result<Approval, HandlerError> {
+        self.stream.write(b"HTTP/1.0 200 OK\r\n").await?;
+        self.stream.write(b"Content-Type: application/json\r\n").await?;
+        self.stream.write(b"X-Creddy-delaying-tactic: ").await?;
+
+        #[allow(unreachable_code)] // seems necessary for type inference
+        let stall = async {
+            let delay = std::time::Duration::from_secs(1);
+            loop {
+                tokio::time::sleep(delay).await;
+                self.stream.write(b"x").await?;
+            }
+            Ok(Approval::Denied)
+        };
+
+        // this is the only place we even read this field, so it's safe to unwrap
+        let receiver = self.receiver.take().unwrap();
+        tokio::select!{
+            r = receiver => Ok(r.unwrap()), // only panics if the sender is dropped without sending, which shouldn't be possible
+            e = stall => e,
+        }
+    }
+
+    async fn send_body(&mut self, body: &[u8]) -> Result<(), HandlerError> {
+        self.stream.write(b"\r\nContent-Length: ").await?;
+        self.stream.write(body.len().to_string().as_bytes()).await?;
+        self.stream.write(b"\r\n\r\n").await?;
+        self.stream.write(body).await?;
+        self.stream.shutdown().await?;
+        Ok(())
+    }
+}
+
+
+#[derive(Debug)]
+pub struct Server {
+    addr: Ipv4Addr,
+    port: u16,
+    app_handle: AppHandle,
+    task: JoinHandle<()>,
+}
+
+
+impl Server {
+    pub async fn new(addr: Ipv4Addr, port: u16, app_handle: AppHandle) -> io::Result<Server> {
+        let task = Self::start_server(addr, port, app_handle.app_handle()).await?;
+        Ok(Server { addr, port, app_handle, task})
+    }
+
+    pub async fn rebind(&mut self, addr: Ipv4Addr, port: u16) -> io::Result<()> {
+        if addr == self.addr && port == self.port {
+            return Ok(())
+        }
+
+        let new_task = Self::start_server(addr, port, self.app_handle.app_handle()).await?;
+        self.task.abort();
+
+        self.addr = addr;
+        self.port = port;
+        self.task = new_task;
+        Ok(())
+    }
+
+    // construct the listener before spawning the task so that we can return early if it fails
+    async fn start_server(addr: Ipv4Addr, port: u16, app_handle: AppHandle) -> io::Result<JoinHandle<()>> {
+        let sock_addr = SocketAddrV4::new(addr, port);
+        let listener = TcpListener::bind(&sock_addr).await?;
+        let task = rt::spawn(
+            Self::serve(listener, app_handle.app_handle())
+        );
+        Ok(task)
+    }
+
+    async fn serve(listener: TcpListener, app_handle: AppHandle) {
+        loop {
+            match listener.accept().await {
+                Ok((stream, _)) => {
+                    let handler = Handler::new(stream, app_handle.app_handle()).await;
+                    rt::spawn(handler.handle());
+                },
+                Err(e) => {
+                    eprintln!("Error accepting connection: {e}");
+                }
             }
         }
     }
 }
-
-
-// it doesn't really return Approval, we just need to placate the compiler
-async fn stall(stream: &mut TcpStream) -> Result<Approval, tokio::io::Error> {
-    let delay = std::time::Duration::from_secs(1);
-    loop {
-        tokio::time::sleep(delay).await;
-        stream.write(b"x").await?;
-    }
-}
-
-
-async fn handle(mut stream: TcpStream, app_handle: AppHandle) -> Result<(), RequestError> {
-    let (chan_send, chan_recv) = oneshot::channel();
-    let app_state = app_handle.state::<crate::state::AppState>();
-    let request_id = app_state.register_request(chan_send);
-
-    let peer_addr = match stream.peer_addr()? {
-        std::net::SocketAddr::V4(addr) => addr,
-        _ => unreachable!(), // we only listen on IPv4
-    };
-    let clients = clientinfo::get_clients(peer_addr.port())?;
-
-    // Do we want to panic if this fails? Does that mean the frontend is dead?
-    let req = Request {id: request_id, clients};
-    app_handle.emit_all("credentials-request", req).unwrap();
-
-    let mut buf = [0; 8192]; // it's what tokio's BufReader uses
-    let mut n = 0;
-    loop {
-        n += stream.read(&mut buf[n..]).await?;
-        if &buf[(n - 4)..n] == b"\r\n\r\n" {break;}
-        if n == buf.len() {return Err(RequestError::RequestTooLarge);}
-    }
-
-    println!("{}", std::str::from_utf8(&buf).unwrap());
-
-    stream.write(b"HTTP/1.0 200 OK\r\n").await?;
-    stream.write(b"Content-Type: application/json\r\n").await?;
-    stream.write(b"X-Creddy-delaying-tactic: ").await?;
-
-    let approval = tokio::select!{
-        e = stall(&mut stream) => e?, // this will never return Ok, just Err if it can't write to the stream
-        r = chan_recv => r.unwrap(), // only panics if the sender is dropped without sending, which shouldn't happen
-    };
-
-    if matches!(approval, Approval::Denied) {
-        // because we own the stream, it gets closed when we return. 
-        // Unfortunately we've already signaled 200 OK, there's no way around this -
-        // we have to write the status code first thing, and we have to assume that the user
-        // might need more time than that gives us (especially if entering the passphrase).
-        // Fortunately most AWS libs automatically retry if the request dies uncompleted, allowing
-        // us to respond with a proper error status.
-        return Ok(());
-    }
-
-    let creds = app_state.get_creds_serialized()?;
-
-    stream.write(b"\r\nContent-Length: ").await?;
-    stream.write(creds.as_bytes().len().to_string().as_bytes()).await?;
-    stream.write(b"\r\n\r\n").await?;
-    stream.write(creds.as_bytes()).await?;
-    stream.write(b"\r\n\r\n").await?;
-    Ok(())
-}

src-tauri/src/state.rs

@@ -1,157 +1,108 @@
-use std::collections::HashMap;
-use std::sync::RwLock;
+use std::collections::{HashMap, HashSet};
+use std::time::Duration;
 
-use serde::{Serialize, Deserialize};
-use tokio::sync::oneshot::Sender;
-use sqlx::{SqlitePool, sqlite::SqlitePoolOptions, sqlite::SqliteConnectOptions};
-use sodiumoxide::crypto::{
-        pwhash,
-        pwhash::Salt, 
-        secretbox, 
-        secretbox::{Nonce, Key}
+use tokio::{
+    sync::oneshot::Sender,
+    sync::RwLock,
+    time::sleep,
 };
+use sqlx::SqlitePool;
 use tauri::async_runtime as runtime;
+use tauri::Manager;
 
-use crate::ipc;
+use crate::app::APP;
+use crate::credentials::{
+    Session,
+    BaseCredentials,
+    SessionCredentials,
+};
+use crate::{config, config::AppConfig};
+use crate::ipc::{self, Approval};
+use crate::clientinfo::Client;
 use crate::errors::*;
+use crate::server::Server;
 
 
-#[derive(Serialize, Deserialize)]
-#[serde(untagged)]
-pub enum Credentials {
-    #[serde(rename_all = "PascalCase")]
-    LongLived {
-        access_key_id: String,
-        secret_access_key: String,
-    },
-    #[serde(rename_all = "PascalCase")]
-    ShortLived {
-        access_key_id: String,
-        secret_access_key: String,
-        token: String,
-        expiration: String,
-    },
-}
-
-
-pub struct LockedCredentials {
-    access_key_id: String,
-    secret_key_enc: Vec<u8>,
-    salt: Salt,
-    nonce: Nonce,
-}
-
-
-pub enum Session {
-    Unlocked(Credentials),
-    Locked(LockedCredentials),
-    Empty,
-}
-
-
-// #[derive(Serialize, Deserialize)]
-// pub enum SessionStatus {
-//   Unlocked,
-//   Locked,
-//   Empty,
-// }
-
-
+#[derive(Debug)]
 pub struct AppState {
+    pub config: RwLock<AppConfig>,
     pub session: RwLock<Session>,
     pub request_count: RwLock<u64>,
     pub open_requests: RwLock<HashMap<u64, Sender<ipc::Approval>>>,
-    pool: SqlitePool,
+    pub bans: RwLock<std::collections::HashSet<Option<Client>>>,
+    server: RwLock<Server>,
+    pool: sqlx::SqlitePool,
 }
 
 impl AppState {
-    pub fn new() -> Result<Self, SetupError> {
-        let conn_opts = SqliteConnectOptions::new()
-            .filename("creddy.db")
-            .create_if_missing(true);
-        let pool_opts = SqlitePoolOptions::new();
-
-        let pool: SqlitePool = runtime::block_on(pool_opts.connect_with(conn_opts))?;
-        runtime::block_on(sqlx::migrate!().run(&pool))?;
-        let creds = runtime::block_on(Self::load_creds(&pool))?;
-
-        let state = AppState {
-            session: RwLock::new(creds),
+    pub fn new(config: AppConfig, session: Session, server: Server, pool: SqlitePool) -> AppState {
+        AppState {
+            config: RwLock::new(config),
+            session: RwLock::new(session),
             request_count: RwLock::new(0),
             open_requests: RwLock::new(HashMap::new()),
+            bans: RwLock::new(HashSet::new()),
+            server: RwLock::new(server),
             pool,
-        };
-
-        Ok(state)
+        }
     }
 
-    async fn load_creds(pool: &SqlitePool) -> Result<Session, SetupError> {
-        let res = sqlx::query!("SELECT * FROM credentials")
-            .fetch_optional(pool)
-            .await?;
-        let row = match res {
-            Some(r) => r,
-            None => {return Ok(Session::Empty);}
-        };
-
-        let salt_buf: [u8; 32] = row.salt
-            .try_into()
-            .map_err(|_e| SetupError::InvalidRecord)?;
-        let nonce_buf: [u8; 24] = row.nonce
-            .try_into()
-            .map_err(|_e| SetupError::InvalidRecord)?;
-
-        let creds = LockedCredentials {
-            access_key_id: row.access_key_id,
-            secret_key_enc: row.secret_key_enc,
-            salt: Salt(salt_buf),
-            nonce: Nonce(nonce_buf),
-        };
-        Ok(Session::Locked(creds))
-    }
-
-    pub async fn save_creds(&self, creds: Credentials, passphrase: &str) -> Result<(), sqlx::error::Error> {
-        let (key_id, secret_key) = match creds {
-            Credentials::LongLived {access_key_id, secret_access_key} => {
-                (access_key_id, secret_access_key)
-            },
-            _ => unreachable!(),
-        };
-        let salt = pwhash::gen_salt();
-        let mut key_buf = [0; secretbox::KEYBYTES];
-        pwhash::derive_key_interactive(&mut key_buf, passphrase.as_bytes(), &salt).unwrap();
-        let key = Key(key_buf);
-        // not sure we need both salt AND nonce given that we generate a
-        // fresh salt every time we encrypt, but better safe than sorry
-        let nonce = secretbox::gen_nonce();
-        let key_enc = secretbox::seal(secret_key.as_bytes(), &nonce, &key);
-        
-        // insert into database
-
-        // eventually replace this with a temporary session
-        let mut session = self.session.write().unwrap();
-        *session = Session::Unlocked(Credentials::LongLived {
-            access_key_id: key_id,
-            secret_access_key: secret_key,
-        });
+    pub async fn new_creds(&self, base_creds: BaseCredentials, passphrase: &str) -> Result<(), UnlockError> {
+        let locked = base_creds.encrypt(passphrase)?;
+        // do this first so that if it fails we don't save bad credentials
+        self.new_session(base_creds).await?;
+        locked.save(&self.pool).await?;
 
         Ok(())
     }
 
-    pub fn register_request(&self, chan: Sender<ipc::Approval>) -> u64 {
+    pub async fn update_config(&self, new_config: AppConfig) -> Result<(), SetupError> {
+        let mut live_config = self.config.write().await;
+        
+        if new_config.start_on_login != live_config.start_on_login {
+            config::set_auto_launch(new_config.start_on_login)?;
+        }
+        if new_config.listen_addr != live_config.listen_addr 
+            || new_config.listen_port != live_config.listen_port 
+        {
+            let mut sv = self.server.write().await;
+            sv.rebind(new_config.listen_addr, new_config.listen_port).await?;
+        }
+
+        new_config.save(&self.pool).await?;
+        *live_config = new_config;
+        Ok(())
+    }
+
+    pub async fn register_request(&self, chan: Sender<ipc::Approval>) -> u64 {
         let count = {
-            let mut c = self.request_count.write().unwrap();
+            let mut c = self.request_count.write().await;
             *c += 1;
             c
         };
 
-        let mut open_requests = self.open_requests.write().unwrap();
+        let mut open_requests = self.open_requests.write().await;
         open_requests.insert(*count, chan); // `count` is the request id
         *count
     }
 
-    pub fn send_response(&self, response: ipc::RequestResponse) -> Result<(), SendResponseError> {
-        let mut open_requests = self.open_requests.write().unwrap();
+    pub async fn unregister_request(&self, id: u64) {
+        let mut open_requests = self.open_requests.write().await;
+        open_requests.remove(&id);
+    }
+
+    pub async fn req_count(&self) -> usize {
+        let open_requests = self.open_requests.read().await;
+        open_requests.len()
+    }
+
+    pub async fn send_response(&self, response: ipc::RequestResponse) -> Result<(), SendResponseError> {
+        if let Approval::Approved = response.approval {
+            let mut session = self.session.write().await;
+            session.renew_if_expired().await?;
+        }
+
+        let mut open_requests = self.open_requests.write().await;
         let chan = open_requests
             .remove(&response.id)
             .ok_or(SendResponseError::NotFound)
@@ -161,36 +112,57 @@ impl AppState {
             .map_err(|_e| SendResponseError::Abandoned)
     }
 
-    pub async fn decrypt(&self, passphrase: &str) -> Result<(), UnlockError> {
-        let session = self.session.read().unwrap();
-        let locked = match *session {
+    pub async fn add_ban(&self, client: Option<Client>) {
+        let mut bans = self.bans.write().await;
+        bans.insert(client.clone());
+
+        runtime::spawn(async move {
+            sleep(Duration::from_secs(5)).await;
+            let app = APP.get().unwrap();
+            let state = app.state::<AppState>();
+            let mut bans = state.bans.write().await;
+            bans.remove(&client);
+        });
+    }
+
+    pub async fn is_banned(&self, client: &Option<Client>) -> bool {
+        self.bans.read().await.contains(&client)
+    }
+
+    pub async fn unlock(&self, passphrase: &str) -> Result<(), UnlockError> {
+        let base_creds = match *self.session.read().await {
             Session::Empty => {return Err(UnlockError::NoCredentials);},
-            Session::Unlocked(_) => {return Err(UnlockError::NotLocked);},
-            Session::Locked(ref c) => c,
+            Session::Unlocked{..} => {return Err(UnlockError::NotLocked);},
+            Session::Locked(ref locked) => locked.decrypt(passphrase)?,
         };
+        // Read lock is dropped here, so this doesn't deadlock
+        self.new_session(base_creds).await?;
 
-        let mut key_buf = [0; secretbox::KEYBYTES];
-        // pretty sure this only fails if we're out of memory
-        pwhash::derive_key_interactive(&mut key_buf, passphrase.as_bytes(), &locked.salt).unwrap();
-        let decrypted = secretbox::open(&locked.secret_key_enc, &locked.nonce, &Key(key_buf))
-            .map_err(|_e| UnlockError::BadPassphrase)?;
-
-        let secret_str = String::from_utf8(decrypted).map_err(|_e| UnlockError::InvalidUtf8)?;
-        let mut session = self.session.write().unwrap();
-        let creds = Credentials::LongLived {
-            access_key_id: locked.access_key_id.clone(),
-            secret_access_key: secret_str,
-        };
-        *session = Session::Unlocked(creds);
         Ok(())
     }
 
-    pub fn get_creds_serialized(&self) -> Result<String, GetCredentialsError> {
-        let session = self.session.read().unwrap();
+    pub async fn serialize_base_creds(&self) -> Result<String, GetCredentialsError> {
+        let session = self.session.read().await;
         match *session {
-            Session::Unlocked(ref creds) => Ok(serde_json::to_string(creds).unwrap()),
+            Session::Unlocked{ref base, ..} => Ok(serde_json::to_string(base).unwrap()),
             Session::Locked(_) => Err(GetCredentialsError::Locked),
             Session::Empty => Err(GetCredentialsError::Empty),
         }
     }
+
+    pub async fn serialize_session_creds(&self) -> Result<String, GetCredentialsError> {
+        let session = self.session.read().await;
+        match *session {
+            Session::Unlocked{ref session, ..} => Ok(serde_json::to_string(session).unwrap()),
+            Session::Locked(_) => Err(GetCredentialsError::Locked),
+            Session::Empty => Err(GetCredentialsError::Empty),
+        }
+    }
+
+    async fn new_session(&self, base: BaseCredentials) -> Result<(), GetSessionError> {
+        let session = SessionCredentials::from_base(&base).await?;
+        let mut app_session = self.session.write().await;
+        *app_session = Session::Unlocked {base, session};
+        Ok(())
+    }
 }

src-tauri/src/storage.rs

@@ -1,42 +0,0 @@
-use sodiumoxide::crypto::{pwhash, secretbox};
-
-use crate::state;
-
-
-pub fn save(data: &str, passphrase: &str) {
-    let salt = pwhash::Salt([0; 32]); // yes yes, just for now
-    let mut kbuf = [0; secretbox::KEYBYTES];
-    pwhash::derive_key_interactive(&mut kbuf, passphrase.as_bytes(), &salt)
-        .expect("Couldn't compute password hash. Are you out of memory?");
-    let key = secretbox::Key(kbuf);
-    let nonce = secretbox::Nonce([0; 24]); // we don't care about e.g. replay attacks so this might be safe?
-    let encrypted = secretbox::seal(data.as_bytes(), &nonce, &key);
-
-    //todo: store in a database, along with salt, nonce, and hash parameters
-    std::fs::write("credentials.enc", &encrypted).expect("Failed to write file.");
-
-    //todo: key is automatically zeroed, but we should use 'zeroize' or something to zero out passphrase and data
-}
-
-
-// pub fn load(passphrase: &str) -> String {
-//     let salt = pwhash::Salt([0; 32]);
-//     let mut kbuf = [0; secretbox::KEYBYTES];
-//     pwhash::derive_key_interactive(&mut kbuf, passphrase.as_bytes(), &salt)
-//         .expect("Couldn't compute password hash. Are you out of memory?");
-//     let key = secretbox::Key(kbuf);
-//     let nonce = secretbox::Nonce([0; 24]);
-
-//     let encrypted = std::fs::read("credentials.enc").expect("Failed to read file.");
-//     let decrypted = secretbox::open(&encrypted, &nonce, &key).expect("Failed to decrypt.");
-//     String::from_utf8(decrypted).expect("Invalid utf-8")
-// }
-
-pub fn load(passphrase: &str) -> state::Credentials {
-    state::Credentials::ShortLived {
-        access_key_id: "ASIAZ7WSVLORKQI27QGB".to_string(),
-        secret_access_key: "blah".to_string(),
-        token: "gah".to_string(),
-        expiration: "2022-11-29T10:45:12Z".to_string(),
-    }
-}

src-tauri/src/tray.rs

@@ -0,0 +1,36 @@
+use tauri::{
+    AppHandle,
+    Manager,
+    SystemTray,
+    SystemTrayEvent,
+    SystemTrayMenu,
+    CustomMenuItem,
+};
+
+
+pub fn create() -> SystemTray {
+    let show = CustomMenuItem::new("show".to_string(), "Show");
+    let quit = CustomMenuItem::new("exit".to_string(), "Exit");
+
+    let menu = SystemTrayMenu::new()
+        .add_item(show)
+        .add_item(quit);
+
+    SystemTray::new().with_menu(menu)
+}
+
+
+pub fn handle_event(app: &AppHandle, event: SystemTrayEvent) {
+    match event {
+        SystemTrayEvent::MenuItemClick{ id, .. } => {
+            match id.as_str() {
+                "exit" => app.exit(0),
+                "show" => {
+                    let _ = app.get_window("main").map(|w| w.show());
+                }
+                _ => (),
+            }
+        }
+        _ => (),
+    }
+}

src-tauri/tauri.conf.json

@@ -8,11 +8,11 @@
   },
   "package": {
     "productName": "creddy",
-    "version": "0.1.0"
+    "version": "0.2.3"
   },
   "tauri": {
     "allowlist": {
-      "all": true
+      "os": {"all": true}
     },
     "bundle": {
       "active": true,
@@ -29,7 +29,7 @@
         "icons/icon.icns",
         "icons/icon.ico"
       ],
-      "identifier": "com.tauri.dev",
+      "identifier": "creddy",
       "longDescription": "",
       "macOS": {
         "entitlements": null,
@@ -44,11 +44,18 @@
       "windows": {
         "certificateThumbprint": null,
         "digestAlgorithm": "sha256",
-        "timestampUrl": ""
+        "timestampUrl": "",
+        "wix": {
+          "fragmentPaths": ["conf/cli.wxs"],
+          "componentRefs": ["CliBinary", "AddToPath"]
+        }
       }
     },
     "security": {
-      "csp": null
+      "csp": {
+        "default-src": ["'self'"],
+        "style-src": ["'self'", "'unsafe-inline'"]
+      }
     },
     "updater": {
       "active": false
@@ -58,9 +65,15 @@
         "fullscreen": false,
         "height": 600,
         "resizable": true,
+        "label": "main",
         "title": "Creddy",
-        "width": 800
+        "width": 800,
+        "visible": false
       }
-    ]
+    ],
+    "systemTray": {
+      "iconPath": "icons/icon.png",
+      "iconAsTemplate": true
+    }
   }
 }

src/App.svelte

@@ -1,37 +1,23 @@
 <script>
-import { emit, listen } from '@tauri-apps/api/event';
-import queue from './lib/queue.js';
-
-const VIEWS = import.meta.glob('./views/*.svelte', {eager: true});
-
-window.emit = emit;
-window.queue = queue;
-
-var appState = {
-    currentRequest: null,
-    pendingRequests: queue(),
-    credentialStatus: 'locked',
-}
-window.appState = appState;
-
-
+import { onMount } from 'svelte';
+import { listen } from '@tauri-apps/api/event';
 import { invoke } from '@tauri-apps/api/tauri';
-window.invoke = invoke;
+
+import { appState, acceptRequest } from './lib/state.js';
+import { views, currentView, navigate } from './lib/routing.js';
 
 
-var currentView = VIEWS['./views/Home.svelte'].default;
-window.currentView = currentView;
-window.VIEWS = VIEWS;
-function navigate(svelteEvent) {
-    const moduleName = `./views/${svelteEvent.detail.target}.svelte`;
-    currentView = VIEWS[moduleName].default;
-}
-window.navigate = navigate;
+$views = import.meta.glob('./views/*.svelte', {eager: true});
+navigate('Home');
+
+invoke('get_config').then(config => $appState.config = config);
 
 listen('credentials-request', (tauriEvent) => {
-    appState.pendingRequests.put(tauriEvent.payload);
-    console.log('Received request.');
+    $appState.pendingRequests.put(tauriEvent.payload);
 });
+
+acceptRequest();
 </script>
 
-<svelte:component this={currentView} on:navigate={navigate} bind:appState={appState} />
+
+<svelte:component this="{$currentView}" />

src/lib/errors.js

@@ -0,0 +1,8 @@
+export function getRootCause(error) {
+    if (error.source) {
+        return getRootCause(error.source);
+    }
+    else {
+        return error;
+    }
+}

src/lib/routing.js

@@ -0,0 +1,11 @@
+import { writable, get } from 'svelte/store';
+
+
+export let views = writable();
+export let currentView = writable();
+export let previousView = writable();
+
+export function navigate(viewName) {
+    let v = get(views)[`./views/${viewName}.svelte`].default;
+    currentView.set(v)
+}

src/lib/state.js

@@ -0,0 +1,33 @@
+import { writable, get } from 'svelte/store';
+
+import queue from './queue.js';
+import { navigate, currentView, previousView } from './routing.js';
+
+
+export let appState = writable({
+    currentRequest: null,
+    pendingRequests: queue(),
+    credentialStatus: 'locked',
+});
+
+
+export async function acceptRequest() {
+    let req = await get(appState).pendingRequests.get();
+    appState.update($appState => {
+        $appState.currentRequest = req;
+        return $appState;
+    });
+    previousView.set(get(currentView));
+    navigate('Approve');
+}
+
+
+export function completeRequest() {
+    appState.update($appState => {
+        $appState.currentRequest = null;
+        return $appState;
+    });
+    currentView.set(get(previousView));
+    previousView.set(null);
+    acceptRequest();
+}

src/style.css

@@ -1,3 +1,7 @@
 @tailwind base;
 @tailwind components;
 @tailwind utilities;
+
+.btn-alert-error {
+    @apply bg-transparent hover:bg-[#cd5a5a] border border-error-content text-error-content
+}

src/ui/Button.svelte

@@ -0,0 +1,9 @@
+<script>
+    import Icon from './Icon.svelte';
+    export let icon = null;
+</script>
+
+<button>
+    {#if icon}<Icon name={icon} class="w-4 text-gray-200" />{/if}
+    <slot></slot>
+</button>

src/ui/ErrorAlert.svelte

@@ -0,0 +1,67 @@
+<script>
+    import { onMount } from 'svelte';
+    import { slide } from 'svelte/transition';
+
+    let extraClasses = "";
+    export {extraClasses as class};
+    export let slideDuration = 150;
+    let animationClass = "";
+
+    export function shake() {
+        animationClass = 'shake';
+        window.setTimeout(() => animationClass = "", 400);
+    }
+
+</script>
+
+
+<style>
+    /* animation from https://svelte.dev/repl/e606c27c864045e5a9700691a7417f99?version=3.58.0 */
+    @keyframes shake {
+        0% {
+            transform: translateX(0px);
+        }
+        20% {
+            transform: translateX(10px);
+        }
+        40% {
+            transform: translateX(-10px);
+        }
+        60% {
+            transform: translateX(5px);
+        }
+        80% {
+            transform: translateX(-5px);
+        }
+        90% {
+            transform: translateX(2px);
+        }
+        95% {
+            transform: translateX(-2px);
+        }
+        100% {
+            transform: translateX(0px);
+        }
+    }
+    .shake {
+        animation-name: shake;
+        animation-play-state: running;
+        animation-duration: 0.4s;
+    }
+</style>
+
+
+<div in:slide="{{duration: slideDuration}}" class="alert alert-error shadow-lg {animationClass} {extraClasses}">
+    <div>
+        <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" /></svg>
+        <span>
+            <slot></slot>
+        </span>
+    </div>
+
+    {#if $$slots.buttons}
+        <div>
+            <slot name="buttons"></slot>
+        </div>
+    {/if}
+</div>

src/ui/Icon.svelte

@@ -0,0 +1,11 @@
+<script>
+    const ICONS = import.meta.glob('./icons/*.svelte', {eager: true});
+
+    export let name;
+    let classes = "";
+    export {classes as class};
+
+    let svg = ICONS[`./icons/${name}.svelte`].default;
+</script>
+
+<svelte:component this={svg} class={classes} />

src/ui/Link.svelte

@@ -0,0 +1,43 @@
+<script>
+    import { navigate } from '../lib/routing.js';
+
+    export let target;
+    export let hotkey = null;
+    export let ctrl = false
+    export let alt = false;
+    export let shift = false;
+
+    let classes = "";
+    export {classes as class};
+
+    function click() {
+        if (typeof target === 'string') {
+            navigate(target);
+        }
+        else if (typeof target === 'function') {
+            target();
+        }
+        else {
+            throw(`Link target is not a string or a function: ${target}`)
+        }
+    }
+
+
+    function handleHotkey(event) {
+        if (!hotkey) return;
+        if (ctrl && !event.ctrlKey) return;
+        if (alt && !event.altKey) return;
+        if (shift && !event.shiftKey) return;
+
+        if (event.key === hotkey) {
+            click();
+        }
+    }
+</script>
+
+
+<svelte:window on:keydown={handleHotkey} />
+
+<a href="/{target}" on:click|preventDefault="{click}" class={classes}>
+    <slot></slot>
+</a>

src/ui/Nav.svelte

@@ -0,0 +1,29 @@
+<script>
+    import Link from './Link.svelte';
+    import Icon from './Icon.svelte';
+
+    export let position = "sticky";
+</script>
+
+
+<nav class="{position} top-0 bg-base-100 w-full flex justify-between items-center p-2">
+    <div>
+        <Link target="Home">
+            <button class="btn btn-square btn-ghost align-middle">
+                <Icon name="home" class="w-8 h-8 stroke-2" />
+            </button>
+        </Link>
+    </div>
+
+    {#if $$slots.title}
+        <slot name="title"></slot>
+    {/if}
+
+    <div>
+        <Link target="Settings">
+            <button class="btn btn-square btn-ghost align-middle ">
+                <Icon name="cog-8-tooth" class="w-8 h-8 stroke-2" />
+            </button>
+        </Link>
+    </div>
+</nav>

src/ui/Spinner.svelte

@@ -0,0 +1,113 @@
+<script>
+    export let color = 'base-content';
+    export let thickness = '2px';
+    let classes = '';
+    export { classes as class };
+
+    const colorVars = {
+        'primary': 'p',
+        'primary-focus': 'pf',
+        'primary-content': 'pc',
+        'secondary': 's',
+        'secondary-focus': 'sf',
+        'secondary-content': 'sc',
+        'accent': 'a',
+        'accent-focus': 'af',
+        'accent-content': 'ac',
+        'neutral': 'n',
+        'neutral-focus': 'nf',
+        'neutral-content': 'nc',
+        'base-100': 'b1',
+        'base-200': 'b2',
+        'base-300': 'b3',
+        'base-content': 'bc',
+        'info': 'in',
+        'info-content': 'inc',
+        'success': 'su',
+        'success-content': 'suc',
+        'warning': 'wa',
+        'warning-content': 'wac',
+        'error': 'er',
+        'error-content': 'erc',
+    }
+
+    let arcStyle = `border-width: ${thickness};`;
+    arcStyle += `border-color: hsl(var(--${colorVars[color]})) transparent transparent transparent;`;
+</script>
+
+<style>
+    #spinner {
+        position: relative;
+
+        animation: spin;
+        animation-duration: 1.5s;
+        animation-iteration-count: infinite;
+        animation-timing-function: linear;
+    }
+
+    @keyframes spin {
+        50% { transform: rotate(225deg); }
+        100% { transform: rotate(360deg); }
+    }
+
+    .arc {
+        position: absolute;
+        top: 0;
+        left: 0;
+        border-radius: 9999px;
+    }
+
+    .arc-top {
+        transform: rotate(-45deg);
+    }
+
+    .arc-right {
+        animation: spin-right;
+        animation-duration: 3s;
+        animation-iteration-count: infinite;
+    }
+
+    .arc-bottom {
+        animation: spin-bottom;
+        animation-duration: 3s;
+        animation-iteration-count: infinite;
+    }
+
+    .arc-left {
+        animation: spin-left;
+        animation-duration: 3s;
+        animation-iteration-count: infinite;
+    }
+
+    @keyframes spin-top {
+        0% { transform: rotate(-45deg); }
+        50% { transform: rotate(315deg); }
+        100% { transform: rotate(-45deg); }
+    }
+
+    @keyframes spin-right {
+        0% { transform: rotate(45deg); }
+        50% { transform: rotate(315deg); }
+        100% { transform: rotate(405deg); }
+    }
+
+    @keyframes spin-bottom {
+        0% { transform: rotate(135deg); }
+        50% { transform: rotate(315deg); }
+        100% { transform: rotate(495deg); }
+    }
+
+    @keyframes spin-left {
+        0% { transform: rotate(225deg); }
+        50% { transform: rotate(315deg); }
+        100% { transform: rotate(585deg); }
+    }
+</style>
+
+
+<div id="spinner" class="w-6 h-6 {classes}">
+    <div class="arc arc-top w-full h-full" style={arcStyle}></div>
+    <div class="arc arc-right w-full h-full" style={arcStyle}></div>
+    <div class="arc arc-bottom w-full h-full" style={arcStyle}></div>
+    <div class="arc arc-left w-full h-full" style={arcStyle}></div>
+</div>

src/ui/icons/check-circle.svelte

@@ -0,0 +1,8 @@
+<script>
+    let classes = "";
+    export {classes as class};
+</script>
+
+<svg class={classes} fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="1">
+    <path stroke-linecap="round" stroke-linejoin="round" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+</svg>

src/ui/icons/cog-8-tooth.svelte

@@ -0,0 +1,9 @@
+<script>
+    let classes = "";
+    export {classes as class};
+</script>
+
+<svg class="w-6 h-6 {classes}" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
+  <path stroke-linecap="round" stroke-linejoin="round" d="M10.343 3.94c.09-.542.56-.94 1.11-.94h1.093c.55 0 1.02.398 1.11.94l.149.894c.07.424.384.764.78.93.398.164.855.142 1.205-.108l.737-.527a1.125 1.125 0 011.45.12l.773.774c.39.389.44 1.002.12 1.45l-.527.737c-.25.35-.272.806-.107 1.204.165.397.505.71.93.78l.893.15c.543.09.94.56.94 1.109v1.094c0 .55-.397 1.02-.94 1.11l-.893.149c-.425.07-.765.383-.93.78-.165.398-.143.854.107 1.204l.527.738c.32.447.269 1.06-.12 1.45l-.774.773a1.125 1.125 0 01-1.449.12l-.738-.527c-.35-.25-.806-.272-1.203-.107-.397.165-.71.505-.781.929l-.149.894c-.09.542-.56.94-1.11.94h-1.094c-.55 0-1.019-.398-1.11-.94l-.148-.894c-.071-.424-.384-.764-.781-.93-.398-.164-.854-.142-1.204.108l-.738.527c-.447.32-1.06.269-1.45-.12l-.773-.774a1.125 1.125 0 01-.12-1.45l.527-.737c.25-.35.273-.806.108-1.204-.165-.397-.505-.71-.93-.78l-.894-.15c-.542-.09-.94-.56-.94-1.109v-1.094c0-.55.398-1.02.94-1.11l.894-.149c.424-.07.765-.383.93-.78.165-.398.143-.854-.107-1.204l-.527-.738a1.125 1.125 0 01.12-1.45l.773-.773a1.125 1.125 0 011.45-.12l.737.527c.35.25.807.272 1.204.107.397-.165.71-.505.78-.929l.15-.894z" />
+  <path stroke-linecap="round" stroke-linejoin="round" d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" />
+</svg>

src/ui/icons/home.svelte

@@ -0,0 +1,8 @@
+<script>
+    let classes = "";
+    export {classes as class};
+</script>
+
+<svg class="w-6 h-6 {classes}" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
+  <path stroke-linecap="round" stroke-linejoin="round" d="M2.25 12l8.954-8.955c.44-.439 1.152-.439 1.591 0L21.75 12M4.5 9.75v10.125c0 .621.504 1.125 1.125 1.125H9.75v-4.875c0-.621.504-1.125 1.125-1.125h2.25c.621 0 1.125.504 1.125 1.125V21h4.125c.621 0 1.125-.504 1.125-1.125V9.75M8.25 21h8.25" />
+</svg>

src/ui/icons/x-circle.svelte

@@ -0,0 +1,8 @@
+<script>
+    let classes = "";
+    export {classes as class};
+</script>
+
+<svg class={classes} fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="1">
+    <path stroke-linecap="round" stroke-linejoin="round" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" />
+</svg>

src/ui/settings/NumericSetting.svelte

@@ -0,0 +1,80 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+
+    import Setting from './Setting.svelte';
+
+    export let title;
+    export let value;
+    export let unit = '';
+    export let min = null;
+    export let max = null;
+    export let decimal = false;
+
+    const dispatch = createEventDispatcher();
+
+    $: localValue = value.toString();
+    let lastInputTime = null;
+    function debounce(event) {
+        lastInputTime = Date.now();
+        localValue = localValue.replace(/[^-0-9.]/g, '');
+
+        const eventTime = lastInputTime;
+        const pendingValue = localValue;
+        window.setTimeout(
+            () => {
+                // if no other inputs have occured since then
+                if (eventTime === lastInputTime) {
+                    updateValue(pendingValue);
+                }
+            },
+            500
+        )
+    }
+
+    let error = null;
+    function updateValue(newValue) {
+        // Don't update the value, but also don't error, if it's empty
+        // or if it could be the start of a negative or decimal number
+        if (newValue.match(/^$|^-$|^\.$/) !== null) {
+            error = null;
+            return;
+        }
+
+        const num = parseFloat(newValue);
+        if (num % 1 !== 0 && !decimal) {
+            error = `${num} is not a whole number`;
+        }
+        else if (min !== null && num < min) {
+            error = `Too low (minimum ${min})`;
+        }
+        else if (max !== null && num > max) {
+            error = `Too large (maximum ${max})`
+        }
+        else {
+            error = null;
+            value = num;
+            dispatch('update', {value})
+        }
+    }
+</script>
+
+
+<Setting {title}>
+    <div slot="input">
+        {#if unit}
+            <span class="mr-2">{unit}:</span>
+        {/if}
+        <div class="tooltip tooltip-error" class:tooltip-open={error !== null} data-tip="{error}">
+            <input 
+                type="text" 
+                class="input input-sm input-bordered text-right" 
+                size="{Math.max(5, localValue.length)}"
+                class:input-error={error} 
+                bind:value={localValue} 
+                on:input="{debounce}"
+            />
+        </div>
+    </div>
+
+    <slot name="description" slot="description"></slot>
+</Setting>

src/ui/settings/Setting.svelte

@@ -0,0 +1,19 @@
+<script>
+    import { slide } from 'svelte/transition';
+    import ErrorAlert from '../ErrorAlert.svelte';
+
+    export let title;
+</script>
+
+
+<div class="divider"></div>
+<div class="flex justify-between">
+    <h3 class="text-lg font-bold">{title}</h3>
+    <slot name="input"></slot>
+</div>
+
+{#if $$slots.description}
+    <p class="mt-3">
+        <slot name="description"></slot>
+    </p>
+{/if}

src/ui/settings/ToggleSetting.svelte

@@ -0,0 +1,22 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+
+    import Setting from './Setting.svelte';
+
+    export let title;
+    export let value;
+
+    const dispatch = createEventDispatcher();
+</script>
+
+
+<Setting {title}>
+    <input 
+        slot="input" 
+        type="checkbox" 
+        class="toggle toggle-success"
+        bind:checked={value}
+        on:change={e => dispatch('update', {value: e.target.checked})}
+    />
+    <slot name="description" slot="description"></slot>
+</Setting>

src/ui/settings/index.js

@@ -0,0 +1,3 @@
+export { default as Setting } from './Setting.svelte';
+export { default as ToggleSetting } from './ToggleSetting.svelte';
+export { default as NumericSetting } from './NumericSetting.svelte';

src/views/Approve.svelte

@@ -1,39 +1,126 @@
 <script>
-    import { createEventDispatcher } from 'svelte';
+    import { onMount } from 'svelte';
     import { invoke } from '@tauri-apps/api/tauri';
 
-    export let appState;
+    import { navigate } from '../lib/routing.js';
+    import { appState, completeRequest } from '../lib/state.js';
+    import ErrorAlert from '../ui/ErrorAlert.svelte';
+    import Link from '../ui/Link.svelte';
 
-    const dispatch = createEventDispatcher();
 
+    // Send response to backend, display error if applicable
+    let error, alert;
+    async function respond() {
+        let {id, approval} = $appState.currentRequest;
+        try {
+            await invoke('respond', {response: {id, approval}});
+            navigate('ShowResponse');
+        }
+        catch (e) {
+            if (error) {
+                alert.shake();
+            }
+            error = e;
+        }
+    }
+
+    // Approval has one of several outcomes depending on current credential state
     async function approve() {
+        $appState.currentRequest.approval = 'Approved';
         let status = await invoke('get_session_status');
         if (status === 'unlocked') {
-            dispatch('navigate', {target: 'ShowApproved'});
+            await respond();
         }
         else if (status === 'locked') {
-            dispatch('navigate', {target: 'Unlock'})
+            navigate('Unlock');
         }
         else {
-            dispatch('navigate', {target: 'EnterCredentials'});
+            navigate('EnterCredentials');
         }
     }
 
-    function deny() {
-        dispatch('navigate', {target: 'ShowDenied'});
+    // Denial has only one
+    async function deny() {
+        $appState.currentRequest.approval = 'Denied';
+        await respond();
     }
+
+    // Extract executable name from full path
+    let appName = null;
+    if ($appState.currentRequest.clients.length === 1) {
+        let path = $appState.currentRequest.clients[0].exe;
+        let m = path.match(/\/([^/]+?$)|\\([^\\]+?$)/);
+        appName = m[1] || m[2];
+    }
+
+    // Executable paths can be long, so ensure they only break on \ or /
+    function breakPath(client) {
+        return client.exe.replace(/(\\|\/)/g, '$1<wbr>');
+    }
+
+    // if the request has already been approved/denied, send response immediately
+    onMount(async () => {
+        if ($appState.currentRequest.approval) {
+            await respond();
+        }
+    })
 </script>
 
-<h2 class="text-3xl text-gray-200">An application would like to access your AWS credentials.</h2>
 
-<button on:click={approve}>
-    <svg class="w-32 stroke-green-500" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="1">
-      <path stroke-linecap="round" stroke-linejoin="round" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
-    </svg>
-</button>
+<!-- Don't render at all if we're just going to immediately proceed to the next screen -->
+{#if error || !$appState.currentRequest.approval}
+    <div class="flex flex-col space-y-4 p-4 m-auto max-w-xl h-screen items-center justify-center">
+        {#if error}
+            <ErrorAlert bind:this={alert}>
+                {error}
+                <svelte:fragment slot="buttons">
+                    <button class="btn btn-sm btn-alert-error" on:click={completeRequest}>Cancel</button>
+                    <button class="btn btn-sm btn-alert-error" on:click={respond}>Retry</button>
+                </svelte:fragment>
+            </ErrorAlert>
+        {/if}
 
-<button on:click={deny}>
-    <svg class="w-32 stroke-red-600" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="1">
-        <path stroke-linecap="round" stroke-linejoin="round" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" />
-    </svg>
-</button>
+        {#if $appState.currentRequest.base}
+            <div class="alert alert-warning shadow-lg">
+                <div>
+                    <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" /></svg>
+                    <span>
+                        WARNING: This application is requesting your base (long-lived) AWS credentials. 
+                        These credentials are less secure than session credentials, since they don't expire automatically.
+                    </span>
+                </div>
+            </div>
+        {/if}
+
+        <div class="space-y-1 mb-4">
+            <h2 class="text-xl font-bold">{appName ? `"${appName}"` : 'An appplication'} would like to access your AWS credentials.</h2>
+
+            <div class="grid grid-cols-[auto_1fr] gap-x-3">
+                {#each $appState.currentRequest.clients as client}
+                    <div class="text-right">Path:</div>
+                    <code class="">{@html client ? breakPath(client) : 'Unknown'}</code>
+                    <div class="text-right">PID:</div>
+                    <code>{client ? client.pid : 'Unknown'}</code>
+                {/each}
+            </div>
+        </div>
+
+        <div class="w-full flex justify-between">
+            <Link target={deny} hotkey="Escape">
+                <button class="btn btn-error justify-self-start">
+                    Deny
+                    <kbd class="ml-2 normal-case px-1 py-0.5 rounded border border-neutral">Esc</kbd>
+                </button>
+            </Link>
+
+            <Link target={approve} hotkey="Enter" shift="{true}">
+                <button class="btn btn-success justify-self-end">
+                    Approve
+                    <kbd class="ml-2 normal-case px-1 py-0.5 rounded border border-neutral">Shift</kbd>
+                    <span class="mx-0.5">+</span>
+                    <kbd class="normal-case px-1 py-0.5 rounded border border-neutral">Enter</kbd>
+                </button>
+            </Link>
+        </div>
+    </div>
+{/if}

src/views/EnterCredentials.svelte

@@ -1,41 +1,85 @@
 <script>
-    import { onMount, createEventDispatcher } from 'svelte';
+    import { onMount } from 'svelte';
     import { invoke } from '@tauri-apps/api/tauri';
+    import { getRootCause } from '../lib/errors.js';
 
-    export let appState;
+    import { appState } from '../lib/state.js';
+    import { navigate } from '../lib/routing.js';
+    import Link from '../ui/Link.svelte';
+    import ErrorAlert from '../ui/ErrorAlert.svelte';
+    import Spinner from '../ui/Spinner.svelte';
 
-    const dispatch = createEventDispatcher();
-    let AccessKeyId, SecretAccessKey, passphrase
 
+    let errorMsg = null;
+    let alert;
+    let AccessKeyId, SecretAccessKey, passphrase, confirmPassphrase
+
+    function confirm() {
+        if (passphrase !== confirmPassphrase) {
+            errorMsg = 'Passphrases do not match.'
+        }
+    }
+
+    let saving = false;
     async function save() {
+        if (passphrase !== confirmPassphrase) {
+            alert.shake();
+            return;
+        }
+
+        let credentials = {AccessKeyId, SecretAccessKey};
         try {
-            console.log('Saving credentials.');
-            let credentials = {AccessKeyId, SecretAccessKey};
-            console.log(credentials);
+            saving = true;
             await invoke('save_credentials', {credentials, passphrase});
-            if (appState.currentRequest) {
-                dispatch('navigate', {target: 'ShowApproved'})
+            if ($appState.currentRequest) {
+                navigate('Approve');
             }
             else {
-                dispatch('navigate', {target: 'Home'})
+                navigate('Home');
             }
         }
         catch (e) {
-            console.log("Error saving credentials:", e);
+            window.error = e;
+            const root = getRootCause(e);
+            if (e.code === 'GetSession' && root.code) {
+                errorMsg = `Error response from AWS (${root.code}): ${root.msg}`;
+            }
+            else {
+                errorMsg = e.msg;
+            }
+
+            // if the alert already existed, shake it
+            if (alert) {
+                alert.shake();
+            }
+
+            saving = false;
         }
     }
 </script>
 
 
-<form action="#" on:submit|preventDefault="{save}">
-    <div class="text-gray-200">AWS Access Key ID</div>
-    <input class="text-gray-200 bg-zinc-800" type="text" bind:value="{AccessKeyId}" />
 
-    <div class="text-gray-200">AWS Secret Access Key</div>
-    <input class="text-gray-200 bg-zinc-800" type="text" bind:value="{SecretAccessKey}" />
+<form action="#" on:submit|preventDefault="{save}" class="form-control space-y-4 max-w-sm m-auto p-4 h-screen justify-center">
+    <h2 class="text-2xl font-bold text-center">Enter your credentials</h2>
 
-    <div class="text-gray-200">Passphrase</div>
-    <input class="text-gray-200 bg-zinc-800" type="text" bind:value="{passphrase}" />
+    {#if errorMsg}
+        <ErrorAlert bind:this="{alert}">{errorMsg}</ErrorAlert>
+    {/if}
 
-    <input class="text-gray-200" type="submit" />
+    <input type="text" placeholder="AWS Access Key ID" bind:value="{AccessKeyId}" class="input input-bordered" />
+    <input type="password" placeholder="AWS Secret Access Key" bind:value="{SecretAccessKey}" class="input input-bordered" />
+    <input type="password" placeholder="Passphrase" bind:value="{passphrase}" class="input input-bordered" />
+    <input type="password" placeholder="Re-enter passphrase" bind:value={confirmPassphrase} class="input input-bordered" on:change={confirm} />
+
+    <button type="submit" class="btn btn-primary">
+        {#if saving}
+            <Spinner class="w-5 h-5" color="primary-content" thickness="2px"/>
+        {:else}
+            Submit
+        {/if}
+    </button>
+    <Link target="Home" hotkey="Escape">
+        <button class="btn btn-sm btn-outline w-full">Cancel</button>
+    </Link>
 </form>

src/views/Home.svelte

@@ -1,18 +1,49 @@
 <script>
-    import { onMount, createEventDispatcher } from 'svelte';
+    import { onMount } from 'svelte';
+    import { invoke } from '@tauri-apps/api/tauri';
 
-    export let appState;
+    import { appState } from '../lib/state.js';
+    import { navigate } from '../lib/routing.js';
+    import Nav from '../ui/Nav.svelte';
+    import Icon from '../ui/Icon.svelte';
+    import Link from '../ui/Link.svelte';
 
-    const dispatch = createEventDispatcher();
+    import vaultDoorSvg from '../assets/vault_door.svg?raw';
 
-    onMount(async () => {
-        // will block until a request comes in
-        let req = await appState.pendingRequests.get();
-        appState.currentRequest = req;
-        console.log('Got credentials request from queue:');
-        console.log(req);
-        dispatch('navigate', {target: 'Approve'});
-    });
+
+    // onMount(async () => {
+    //     // will block until a request comes in
+    //     let req = await $appState.pendingRequests.get();
+    //     $appState.currentRequest = req;
+    //     navigate('Approve');
+    // });
 </script>
 
-<h1 class="text-4xl text-gray-300">Creddy</h1>
+
+<Nav position="fixed">
+    <h2 slot="title" class="text-3xl font-bold">Creddy</h2>
+</Nav>
+
+<div class="flex flex-col h-screen items-center justify-center p-4 space-y-4">
+    {#await invoke('get_session_status') then status}
+        {#if status === 'locked'}
+
+            {@html vaultDoorSvg}
+            <h2 class="text-2xl font-bold">Creddy is locked</h2>
+            <Link target="Unlock" hotkey="Enter" class="w-64">
+                <button class="btn btn-primary w-full">Unlock</button>
+            </Link>
+
+        {:else if status === 'unlocked'}
+            {@html vaultDoorSvg}
+            <h2 class="text-2xl font-bold">Waiting for requests</h2>
+
+        {:else if status === 'empty'}
+            {@html vaultDoorSvg}
+            <h2 class="text-2xl font-bold">No credentials found</h2>
+            <Link target="EnterCredentials" hotkey="Enter" class="w-64">
+                <button class="btn btn-primary w-full">Enter Credentials</button>
+            </Link>
+        {/if}
+    {/await}
+</div>

src/views/Settings.svelte

@@ -0,0 +1,94 @@
+<script>
+    import { invoke } from '@tauri-apps/api/tauri';
+    import { type } from '@tauri-apps/api/os';
+
+    import { appState } from '../lib/state.js';
+    import Nav from '../ui/Nav.svelte';
+    import Link from '../ui/Link.svelte';
+    import ErrorAlert from '../ui/ErrorAlert.svelte';
+    import { Setting, ToggleSetting, NumericSetting } from '../ui/settings';
+
+    import { fly } from 'svelte/transition';
+    import { backInOut } from 'svelte/easing';
+
+
+    let error = null;
+    async function save() {
+        try {
+            await invoke('save_config', {config: $appState.config});
+        }
+        catch (e) {
+            error = e;
+            $appState.config = await invoke('get_config');
+        }
+    }
+
+    let osType = '';
+    type().then(t => osType = t);
+</script>
+
+
+<Nav>
+    <h2 slot="title" class="text-2xl font-bold">Settings</h2>
+</Nav>
+
+{#await invoke('get_config') then config}
+    <div class="max-w-md mx-auto mt-1.5 p-4">
+        <!-- <h2 class="text-2xl font-bold text-center">Settings</h2> -->
+
+        <ToggleSetting title="Start on login" bind:value={$appState.config.start_on_login} on:update={save}>
+            <svelte:fragment slot="description">
+                Start Creddy when you log in to your computer.
+            </svelte:fragment>
+        </ToggleSetting>
+
+        <ToggleSetting title="Start minimized" bind:value={$appState.config.start_minimized} on:update={save}>
+            <svelte:fragment slot="description">
+                Minimize to the system tray at startup.
+            </svelte:fragment>
+        </ToggleSetting>
+
+        <NumericSetting title="Re-hide delay" bind:value={$appState.config.rehide_ms} min={0} unit="Milliseconds" on:update={save}>
+            <svelte:fragment slot="description">
+                How long to wait after a request is approved/denied before minimizing
+                the window to tray. Only applicable if the window was minimized
+                to tray before the request was received.
+            </svelte:fragment>
+        </NumericSetting>
+
+        <NumericSetting
+            title="Listen port"
+            bind:value={$appState.config.listen_port}
+            min={osType === 'Windows_NT' ? 1 : 0}
+            on:update={save}
+        >
+            <svelte:fragment slot="description">
+                Listen for credentials requests on this port. 
+                (Should be used with <code>$AWS_CONTAINER_CREDENTIALS_FULL_URI</code>)
+            </svelte:fragment>
+        </NumericSetting>
+
+        <Setting title="Update credentials">
+            <Link slot="input" target="EnterCredentials">
+                <button class="btn btn-sm btn-primary">Update</button>
+            </Link>
+            <svelte:fragment slot="description">
+                Update or re-enter your encrypted credentials.
+            </svelte:fragment>
+        </Setting>
+    </div>
+{/await}
+
+{#if error}
+    <div transition:fly={{y: 100, easing: backInOut, duration: 400}} class="toast">
+        <div class="alert alert-error no-animation">
+            <div>
+                <span>{error}</span>
+            </div>
+
+            <div>
+                <button class="btn btn-sm btn-alert-error" on:click={() => error = null}>Ok</button>
+            </div>
+        </div>
+    </div>
+{/if}

src/views/ShowApproved.svelte

@@ -1,21 +0,0 @@
-<script>
-    import { onMount, createEventDispatcher } from 'svelte';
-    import { emit } from '@tauri-apps/api/event';
-    import { invoke } from '@tauri-apps/api/tauri';
-    
-    export let appState;
-    
-    onMount(async () => {
-        let response = {
-            id: appState.currentRequest.id,
-            approval: 'Approved',
-        }
-        await invoke('respond', {response});
-        appState.currentRequest = null;
-    });
-
-    const dispatch = createEventDispatcher();
-    window.setTimeout(() => dispatch('navigate', {target: 'Home'}), 3000);
-</script>
-
-<h1 class="text-4xl text-gray-300">Approved!</h1>

src/views/ShowDenied.svelte

@@ -1,21 +0,0 @@
-<script>
-    import { onMount, createEventDispatcher } from 'svelte';
-    import { emit } from '@tauri-apps/api/event';
-    import { invoke } from '@tauri-apps/api/tauri';
-    
-    export let appState;
-    
-    onMount(async () => {
-        let response = {
-            id: appState.currentRequest.id,
-            approval: 'Denied',
-        }
-        await invoke('respond', {response});
-        appState.currentRequest = null;
-    });
-
-    const dispatch = createEventDispatcher();
-    window.setTimeout(() => dispatch('navigate', {target: 'Home'}), 3000);
-</script>
-
-<h1 class="text-4xl text-gray-300">Denied!</h1>

src/views/ShowResponse.svelte

@@ -0,0 +1,38 @@
+<script>
+    import { onMount } from 'svelte';
+    import { draw, fade } from 'svelte/transition';
+
+    import { appState, completeRequest } from '../lib/state.js';
+    
+    let success = false;
+    let error = null;
+
+    let drawDuration = $appState.config.rehide_ms >= 750 ? 500 : 0;
+    let fadeDuration = drawDuration * 0.6;
+    let fadeDelay = drawDuration * 0.4;
+
+    onMount(() => {
+        window.setTimeout(
+            completeRequest,
+            // Extra 50ms so the window can finish disappearing before the redraw
+            Math.min(5000, $appState.config.rehide_ms + 50),
+        )
+    })
+</script>
+
+
+<div class="flex flex-col h-screen items-center justify-center max-w-max m-auto">
+    {#if $appState.currentRequest.approval === 'Approved'}
+        <svg xmlns="http://www.w3.org/2000/svg" class="w-36 h-36" fill="none" viewBox="0 0 24 24" stroke-width="1" stroke="currentColor">
+          <path in:draw="{{duration: drawDuration}}" stroke-linecap="round" stroke-linejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+        </svg>
+    {:else}
+        <svg xmlns="http://www.w3.org/2000/svg" class="w-36 h-36" fill="none" viewBox="0 0 24 24" stroke-width="1" stroke="currentColor">
+            <path in:draw="{{duration: 500}}" stroke-linecap="round" stroke-linejoin="round" d="M9.75 9.75l4.5 4.5m0-4.5l-4.5 4.5M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+        </svg>
+    {/if}
+
+    <div in:fade="{{duration: fadeDuration, delay: fadeDelay}}" class="text-2xl font-bold">
+        {$appState.currentRequest.approval}!
+    </div>
+</div>

src/views/Unlock.svelte

@@ -1,25 +1,81 @@
 <script>
     import { invoke } from '@tauri-apps/api/tauri';
-    import { createEventDispatcher } from 'svelte';
+    import { onMount } from 'svelte';
 
-    export let appState;
+    import { appState } from '../lib/state.js';
+    import { navigate } from '../lib/routing.js';
+    import { getRootCause } from '../lib/errors.js';
+    import ErrorAlert from '../ui/ErrorAlert.svelte';
+    import Link from '../ui/Link.svelte';
+    import Spinner from '../ui/Spinner.svelte';
 
-    const dispatch = createEventDispatcher();
 
+    let errorMsg = null;
+    let alert;
     let passphrase = '';
+    let loadTime = 0;
+    let saving = false;
     async function unlock() {
-        console.log('invoking unlock command.')
+        // The hotkey for navigating here from homepage is Enter, which also
+        // happens to trigger the form submit event
+        if (Date.now() - loadTime < 10) {
+            return;
+        }
 
         try {
-            await invoke('unlock', {passphrase});
+            saving = true;
+            let r = await invoke('unlock', {passphrase});
+            $appState.credentialStatus = 'unlocked';
+            if ($appState.currentRequest) {
+                navigate('Approve');
+            }
+            else {
+                navigate('Home');
+            }
         }
         catch (e) {
-            console.log('Unlock error:', e);
+            const root = getRootCause(e);
+            if (e.code === 'GetSession' && root.code) {
+                errorMsg = `Error response from AWS (${root.code}): ${root.msg}`;
+            }
+            else {
+                errorMsg = e.msg;
+            }
+            
+            // if the alert already existed, shake it
+            if (alert) {
+                alert.shake();
+            }
+
+            saving = false;
         }
     }
+
+    onMount(() => {
+        loadTime = Date.now();
+    })
 </script>
 
-<form action="#" on:submit|preventDefault="{unlock}">
-    <div class="text-gray-200">Enter your passphrase:</div>
-    <input class="text-gray-200 bg-zinc-800" type="password" placeholder="correct horse battery staple" bind:value="{passphrase}" />
+
+<form action="#" on:submit|preventDefault="{unlock}" class="form-control space-y-4 max-w-sm m-auto p-4 h-screen justify-center">
+    <h2 class="font-bold text-2xl text-center">Enter your passphrase</h2>
+
+    {#if errorMsg}
+        <ErrorAlert bind:this="{alert}">{errorMsg}</ErrorAlert>
+    {/if}
+
+    <!-- svelte-ignore a11y-autofocus -->
+    <input autofocus name="password" type="password" placeholder="correct horse battery staple" bind:value="{passphrase}" class="input input-bordered" />
+
+    <button type="submit" class="btn btn-primary">
+        {#if saving}
+            <Spinner class="w-5 h-5" color="primary-content" thickness="2px"/>
+        {:else}
+            Submit
+        {/if}
+    </button>
+
+    <Link target="Home" hotkey="Escape">
+        <button class="btn btn-outline btn-sm w-full">Cancel</button>
+    </Link>
 </form>

tailwind.config.js

@@ -7,5 +7,7 @@ module.exports = {
   theme: {
     extend: {},
   },
-  plugins: [],
+  plugins: [
+    require('daisyui'),
+  ],
 }